This chapter covers certificate management, a critical topic for the CompTIA A+ 220-1102 exam under Security domain objective 2.2. You will learn what digital certificates are, how they work, how to manage them in Windows, macOS, and Linux, and common troubleshooting scenarios. Expect approximately 5-8% of exam questions to touch on certificate management, often in the context of secure web browsing, email encryption, or device authentication. Mastery of this topic is essential for any IT support professional.
Jump to a section
Think of digital certificates like a passport system. A passport is issued by a trusted government authority (Certificate Authority or CA) after verifying your identity. It contains your photo, name, and a unique passport number (public key). When you travel to another country, the border officer (web browser) checks your passport's authenticity by verifying the issuing authority's signature using the authority's public key (CA certificate). The officer also checks the expiration date (validity period) and ensures the passport hasn't been revoked by checking a blacklist (Certificate Revocation List or CRL). If your passport is lost or stolen, the government revokes it and adds it to the blacklist, so even if someone else tries to use it, they will be denied. Similarly, in the digital world, certificates bind a public key to an entity (like a website), and trust is established through a chain of CAs. The passport analogy breaks down slightly because digital certificates can be self-signed (like a fake passport you create yourself) which no trusted authority validates — browsers will warn you. Also, certificate revocation can be checked via Online Certificate Status Protocol (OCSP) which is like a real-time phone call to the issuing authority to ask, "Is this passport still valid?" This real-time check is faster than downloading the entire blacklist. In enterprise environments, a Private CA acts like a company issuing its own internal ID cards — trusted only within the company, not by external browsers. The core idea: certificates are about establishing and maintaining trust through cryptographic signatures, expiration, and revocation mechanisms.
What is a Digital Certificate?
A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity — such as a person, organization, or device. The certificate contains information about the key, the identity of its owner, and the digital signature of an entity that has verified the certificate's contents (the issuer). If the signature is valid and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. The most common standard for digital certificates is X.509, defined in RFC 5280. X.509 certificates are used in TLS/SSL for secure web browsing, S/MIME for email encryption, code signing, and client authentication.
Why Certificates Exist
Before certificates, secure communication relied on manually exchanging public keys — impractical at scale. Certificates solve the problem of key distribution by providing a trusted third party (Certificate Authority or CA) that vouches for the authenticity of a public key. Without certificates, an attacker could perform a man-in-the-middle attack by substituting their own public key and impersonating a server. Certificates allow a client to verify that the public key it receives truly belongs to the expected server.
How Certificates Work Internally
When you connect to an HTTPS website, the following occurs:
The client (browser) requests the server's certificate during the TLS handshake.
The server sends its certificate, which includes its public key, subject (domain name), issuer (CA), validity period, and other fields.
The client checks the certificate's validity: is the current time within the validity period? Does the domain name match? Is the certificate signed by a trusted CA?
To verify the signature, the client uses the CA's public key (which comes from a root certificate already installed in the client's trust store). The client decrypts the signature using the CA's public key and compares the hash of the certificate's contents with the decrypted hash. If they match, the certificate is authentic.
The client then uses the server's public key to encrypt a pre-master secret, which is sent to the server. Only the server can decrypt it with its private key. From there, symmetric session keys are derived.
Key Components of an X.509 Certificate
Version: Usually version 3 (v3) which supports extensions.
Serial Number: Unique integer assigned by the CA.
Signature Algorithm: The algorithm used to sign the certificate (e.g., sha256WithRSAEncryption).
Issuer: The entity that issued the certificate (the CA).
Validity: Not Before and Not After dates.
Subject: The entity the certificate identifies (e.g., domain name).
Public Key: The public key of the subject, along with the algorithm (e.g., RSA 2048 bits).
Extensions: Additional fields like Key Usage, Extended Key Usage, Subject Alternative Name (SAN), Basic Constraints.
Key Usage: Specifies the cryptographic operations for which the key may be used (e.g., digitalSignature, keyEncipherment).
Extended Key Usage: Specifies the purpose (e.g., serverAuth, clientAuth, codeSigning).
SAN: Allows multiple domain names to be protected by one certificate.
Basic Constraints: Identifies whether the subject is a CA.
Certificate Authorities and Trust Chains
A Certificate Authority (CA) is a trusted entity that issues certificates. CAs are organized in a hierarchy:
Root CA: Self-signed certificate at the top of the chain. Root CA certificates are pre-installed in operating systems and browsers.
Intermediate CA: Signed by the root CA. Used to issue end-entity certificates. This provides security: if an intermediate CA is compromised, the root CA can revoke it without re-installing root certificates.
End-Entity Certificate: The actual server or client certificate.
When verifying a certificate, the client builds a chain from the end-entity certificate up to a trusted root. Each certificate in the chain must be valid (not expired, not revoked) and signed by the next certificate in the chain.
Certificate Revocation
Certificates can be revoked before their expiration if the private key is compromised, the certificate was issued incorrectly, or the entity is no longer authorized. Revocation checking is done via:
Certificate Revocation List (CRL): A list of serial numbers of revoked certificates published by the CA. Clients download the CRL and check against it. CRLs can become large and are not real-time.
Online Certificate Status Protocol (OCSP): A real-time protocol where the client sends a request to the CA's OCSP responder with the certificate's serial number and receives a response of "good", "revoked", or "unknown". OCSP is more efficient than CRLs but introduces a privacy concern (the CA learns which sites you visit) and a potential single point of failure. OCSP stapling is a solution where the server periodically fetches an OCSP response and includes it in the TLS handshake, reducing client overhead.
Certificate Formats and File Extensions
.cer / .crt / .der: Binary DER-encoded certificate (raw certificate without private key).
.pem: Base64-encoded DER certificate, often with header/footer lines (e.g., -----BEGIN CERTIFICATE-----).
.p12 / .pfx: PKCS#12 format that bundles the certificate and private key together, protected by a password.
.jks: Java KeyStore format for Java applications.
Managing Certificates in Windows
Windows uses the Certificate Manager (certmgr.msc) for user certificates and the Certificate MMC snap-in for computer certificates. Key tasks:
Viewing certificates: Open certmgr.msc, navigate to Personal or Trusted Root Certification Authorities.
Importing a certificate: Right-click on the store, choose All Tasks > Import, and follow the wizard. For .pfx files, you'll need the private key password.
Exporting a certificate: Right-click the certificate, choose All Tasks > Export. You can export without the private key (.cer) or with the private key (.pfx).
Deleting a certificate: Right-click and choose Delete.
Verifying a certificate: Double-click the certificate to view details, including the certification path and whether it is trusted.
Command line: Use certutil for advanced operations. For example, to display a certificate:
certutil -store MyTo add a certificate to the trusted root store:
certutil -addstore Root certfile.cerManaging Certificates in macOS
macOS uses Keychain Access. Keychains store certificates, private keys, and passwords. The system keychain contains root certificates. To manage certificates:
Open Keychain Access from Utilities.
Certificates are listed under the Certificates category.
To import a certificate, drag the file into the appropriate keychain or use File > Import Items.
To export, select the certificate, choose File > Export Items, and choose format (.cer or .p12).
To view details, double-click the certificate.
Command line: Use security command. For example:
security add-certificate -k /Library/Keychains/System.keychain cert.cer
security find-certificate -c "Common Name"Managing Certificates in Linux
Linux systems typically store certificates in /etc/ssl/certs and private keys in /etc/ssl/private. Trusted CA certificates are often in /etc/ssl/certs/ca-certificates.crt (a bundle) or in /usr/local/share/ca-certificates/. The update-ca-certificates command updates the system's trust store.
To add a custom CA certificate:
Copy the .crt file to /usr/local/share/ca-certificates/.
Run sudo update-ca-certificates.
To view certificate details:
openssl x509 -in cert.pem -text -nooutTo verify a certificate against a CA bundle:
openssl verify -CAfile ca-bundle.crt server.crtCommon Certificate Issues and Troubleshooting
Expired certificate: Check the validity dates. Renew the certificate.
Name mismatch: The certificate's Common Name (CN) or Subject Alternative Name (SAN) does not match the hostname. Ensure the certificate covers the correct domain.
Untrusted root: The issuing CA is not in the client's trust store. Install the root certificate.
Revoked certificate: The certificate has been revoked. Obtain a new certificate.
Private key missing: The server does not have the private key associated with the certificate. Ensure the private key is installed correctly.
Certificate chain incomplete: The server must send the full chain (server certificate plus intermediate certificates). Otherwise, clients may not trust the certificate.
Self-Signed Certificates
A self-signed certificate is signed by its own private key, not by a trusted CA. They are free and easy to create but are not trusted by default. Browsers will show a warning. They are acceptable for internal testing or lab environments. To create a self-signed certificate in Windows using PowerShell:
New-SelfSignedCertificate -DnsName "myserver.local" -CertStoreLocation "Cert:\LocalMachine\My"In Linux using OpenSSL:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodesCertificate Lifecycle
Request: Generate a key pair and create a Certificate Signing Request (CSR) that includes the public key and identity information.
Validation: The CA validates the identity of the requester. Domain Validation (DV) only checks control of the domain, Organization Validation (OV) checks organization details, and Extended Validation (EV) involves a rigorous vetting process.
Issuance: The CA signs the CSR with its private key, producing the certificate.
Installation: Install the certificate on the server along with the private key.
Usage: The certificate is used for authentication and encryption.
Renewal: Before expiration, a new certificate must be obtained.
Revocation: If compromised, the certificate is revoked.
Interaction with Related Technologies
Certificate management is closely tied to:
HTTPS/TLS: Certificates are the foundation of TLS. Without valid certificates, HTTPS cannot establish trust.
S/MIME: Email encryption and signing use certificates. Each user needs a personal certificate.
Code Signing: Developers sign code with certificates to prove authenticity and integrity.
Wi-Fi (802.1X): Certificates are used for client and server authentication in enterprise Wi-Fi networks.
VPN: Certificates authenticate VPN endpoints and users.
Active Directory: Domain controllers use certificates for LDAP over SSL (LDAPS).
Smart Cards: Certificates stored on smart cards authenticate users.
Exam-Specific Details for 220-1102
Know the difference between public and private certificates.
Understand the role of a CA and the concept of a trust chain.
Be able to identify certificate errors: expired, untrusted, name mismatch, revoked.
Know how to import/export certificates in Windows, macOS, and Linux.
Understand the purpose of self-signed certificates and when they are appropriate.
Know the common file formats: .cer, .pem, .pfx, .p12.
Be aware of revocation methods: CRL and OCSP.
Understand that certificates have a validity period and must be renewed.
Recognize that a private key must be kept secure and never shared.
Conclusion
Certificate management is a fundamental security skill for IT professionals. The CompTIA A+ exam expects you to understand the basics of how certificates work, how to manage them on different operating systems, and how to troubleshoot common issues. Mastering these concepts will not only help you pass the exam but also prepare you for real-world support scenarios.
Generate Key Pair and CSR
The first step in obtaining a certificate is generating a public/private key pair. The private key must be kept secret and secure. Then, create a Certificate Signing Request (CSR) that contains the public key and identifying information (Common Name, Organization, Country, etc.). The CSR is sent to a Certificate Authority (CA) for signing. In Windows, you can use Internet Information Services (IIS) Manager or the `certreq` command. In Linux, use `openssl req -new -key private.key -out request.csr`. The CSR is not the certificate; it's a request for the CA to issue a certificate. The private key never leaves the server; only the public key is included in the CSR.
Submit CSR to CA for Validation
Submit the CSR to a public CA (like Let's Encrypt, DigiCert, or Comodo) or an internal CA (like Windows Server Certificate Services). The CA validates the identity of the requester. For Domain Validation (DV), the CA may send an email to the domain's administrative contact or require placing a specific file on the web server. For Organization Validation (OV) or Extended Validation (EV), the CA performs deeper checks. Once validated, the CA signs the CSR with its private key, creating the certificate. The certificate includes the CA's signature, which allows clients to verify its authenticity.
Install Certificate on Server
After receiving the certificate from the CA, install it on the server along with the private key. The certificate and private key must be associated together. In Windows, you can import the certificate into the computer's certificate store (Local Machine > Personal) using the Certificates MMC snap-in or IIS Manager. The private key should be imported if it was generated separately (e.g., in a .pfx file). In Linux, place the certificate file (e.g., cert.pem) and private key file (e.g., key.pem) in appropriate directories, often /etc/ssl/certs and /etc/ssl/private, and configure the web server (Apache, Nginx) to point to them. Ensure permissions are set so only the server process can read the private key.
Configure Application to Use Certificate
Once the certificate is installed, configure the application (web server, email server, VPN) to use it. For IIS, bind the certificate to the HTTPS site. For Apache, set the SSLCertificateFile and SSLCertificateKeyFile directives. For Nginx, use ssl_certificate and ssl_certificate_key. If the CA provided intermediate certificates, include them in the certificate chain (SSLCertificateChainFile in Apache). The application must also be configured to listen on the appropriate port (443 for HTTPS). After configuration, restart the service. Test by accessing the service over HTTPS and verifying the certificate details in the browser.
Monitor and Renew Certificate
Certificates have a validity period (typically 1-2 years). Set up monitoring to alert you before expiration. Many organizations use automated tools like CertBot (Let's Encrypt) to automatically renew certificates. For manual renewal, generate a new CSR (using the same or new key pair) and submit it to the CA. Install the new certificate before the old one expires. If a certificate is compromised, revoke it immediately via the CA's revocation interface and issue a new one. Regularly check certificate revocation lists (CRLs) or use OCSP to ensure no certificates have been revoked. Keep an inventory of all certificates and their expiration dates.
In enterprise environments, certificate management is often centralized using Public Key Infrastructure (PKI) solutions like Microsoft Active Directory Certificate Services (AD CS). For example, a large organization with thousands of employees might deploy internal CA servers to issue certificates for domain-joined computers, enabling automatic enrollment of certificates for smart card logon, email encryption (S/MIME), and VPN authentication. The internal CA certificates are distributed to all domain members via Group Policy, ensuring that all internal systems trust the CA. This eliminates the need to purchase certificates from public CAs for internal services. However, managing the lifecycle of thousands of certificates requires robust monitoring and automation. A common issue is certificate expiration causing service outages. For instance, if a domain controller's LDAPS certificate expires, clients may fail to authenticate. To mitigate this, organizations implement certificate auto-enrollment and set up monitoring tools like Microsoft's Certificate Lifecycle Manager or third-party solutions to send alerts 30, 60, and 90 days before expiration.
Another scenario is a company that hosts multiple websites on a single web server. They may use a single certificate with Subject Alternative Names (SANs) to cover all domains, reducing cost and management overhead. However, if one domain is sold or decommissioned, the entire certificate must be replaced. Some organizations prefer wildcard certificates (*.example.com) to cover all subdomains. A wildcard certificate simplifies management but poses a security risk: if the private key is compromised, all subdomains are affected. In high-security environments, separate certificates for each service are preferred.
A common misconfiguration is failing to include intermediate certificates in the server's certificate chain. When a client connects, it receives only the server certificate. If the client does not have the intermediate CA certificate, it cannot build the chain to a trusted root, resulting in an untrusted certificate error. The fix is to concatenate the server certificate with the intermediate certificates into a single file (the chain file) and configure the server to send it. For example, in Nginx: ssl_certificate /etc/ssl/certs/chain.pem; where chain.pem contains the server cert followed by intermediates. Another frequent mistake is incorrectly setting permissions on private key files. On Linux, the private key should be readable only by the web server user (e.g., www-data). If permissions are too permissive (e.g., 777), the system may refuse to start the service. On Windows, the private key is stored in the certificate store with appropriate access control lists (ACLs). When exporting a certificate with the private key to a .pfx file, a strong password must be used to protect it. If the password is lost, the private key cannot be extracted, and the certificate becomes useless.
Performance considerations: OCSP lookups can introduce latency. To mitigate, use OCSP stapling, where the server periodically fetches an OCSP response and caches it, then presents it during the TLS handshake. This reduces client-side latency and offloads the CA's OCSP responder. However, if the server cannot reach the OCSP responder, it may serve a stale response or fail to staple, causing clients to perform their own OCSP checks. In high-traffic environments, ensure that the server can handle the additional load of OCSP stapling.
In cloud environments like AWS, certificate management is often handled by AWS Certificate Manager (ACM) which automates renewal and deployment to load balancers and CloudFront. For on-premises or hybrid environments, tools like HashiCorp Vault or cert-manager in Kubernetes automate the entire lifecycle. Regardless of the platform, the core principles of certificate management remain: secure key generation, proper installation, timely renewal, and prompt revocation when compromised.
The CompTIA A+ 220-1102 exam covers certificate management under Objective 2.2: "Given a scenario, manage digital certificates." This includes installing, configuring, and troubleshooting certificates. The exam expects you to know the following:
Key concepts tested: - The purpose of a digital certificate: binding a public key to an identity. - The role of a Certificate Authority (CA) and trust chain. - Certificate formats: .cer, .pem, .pfx, .p12. - How to import/export certificates in Windows (certmgr.msc), macOS (Keychain Access), and Linux (OpenSSL). - Common certificate errors: expired, untrusted, name mismatch, revoked. - Self-signed certificates: when to use (internal testing) and their limitations (not trusted by default). - Revocation methods: CRL and OCSP. - The importance of keeping the private key secure.
Common wrong answers: 1. "A certificate encrypts the data." This is partially true but misleading. The certificate contains the public key used for encryption, but the certificate itself is not the encryption mechanism. The exam tests understanding that the certificate is for authentication and key exchange, not bulk encryption. 2. "A self-signed certificate is as secure as one from a public CA." No, self-signed certificates are not trusted by default because there is no third-party validation. Candidates often confuse self-signed with being inherently insecure; they are cryptographically valid but lack trust. 3. **"A certificate with a wildcard (*.example.com) can be used for any domain." It can only cover subdomains of example.com, not completely different domains. The exam may present a scenario where a wildcard certificate is incorrectly used for a different domain. 4. "If a certificate is revoked, you can still use it until it expires."** Revocation is immediate; the certificate should no longer be trusted. Candidates may think revocation only applies after expiration.
Specific numbers and values: - Default validity period: Typically 1-2 years; the exam may mention 365 days or 2 years. - Default RSA key size: 2048 bits (minimum recommended). - Common ports: HTTPS (443), LDAPS (636), SMTPS (587).
Edge cases: - A certificate that is not yet valid (Not Before date in the future). The client will treat it as invalid. - A certificate that has been revoked but the client does not check revocation (e.g., if CRL or OCSP is unavailable). The client may still trust it, leading to a security risk. - Intermediate CA certificates missing from the server's chain. The client may not trust the certificate if it cannot build the chain.
Elimination strategy: When presented with a certificate error, first identify the symptom:
- If the error says "expired", check the validity dates. - If the error says "untrusted", check if the CA is trusted or if the chain is complete. - If the error says "name mismatch", check the Common Name or SAN. - If the error says "revoked", check revocation status. Always consider the most common cause first. For example, a name mismatch is often due to using a certificate for a different domain or a missing www vs non-www. An untrusted error often occurs with self-signed certificates or when an internal CA certificate is not installed on clients.
Exam tips:
- Remember that .pfx/.p12 files include the private key and require a password.
- In Windows, use certmgr.msc for user certificates; for computer certificates, use the Certificates snap-in in MMC.
- In macOS, certificates are stored in Keychain Access; the login keychain is for user certificates, the system keychain for system-wide trust.
- In Linux, the openssl command is the Swiss army knife for certificate operations.
- The exam loves to test the difference between renewing (getting a new certificate with the same key) and re-keying (generating a new key pair). Re-keying is more secure if the old key may be compromised.
A digital certificate binds a public key to an identity and is signed by a Certificate Authority (CA).
The trust chain consists of root CA, intermediate CA, and end-entity certificate; all must be valid.
Common certificate errors: expired, untrusted, name mismatch, revoked.
Self-signed certificates are free but not trusted by default; use only for internal testing.
Certificate revocation is checked via CRL (list) or OCSP (real-time query).
In Windows, manage certificates with certmgr.msc (user) or MMC Certificates snap-in (computer).
In macOS, use Keychain Access; in Linux, use OpenSSL commands.
Private keys must be kept secure and never shared; .pfx/.p12 files bundle cert and key with password protection.
Wildcard certificates cover one level of subdomains; SAN certificates allow multiple domains.
Certificates have a validity period (typically 1-2 years) and must be renewed before expiration.
These come up on the exam all the time. Here's how to tell them apart.
Self-Signed Certificate
Signed by its own private key, no third-party validation.
Not trusted by default; browsers show a warning.
Free and easy to create with OpenSSL or PowerShell.
Suitable for internal testing or lab environments.
No cost, but requires manual distribution of the certificate to clients to avoid warnings.
CA-Signed Certificate
Signed by a trusted Certificate Authority (CA).
Trusted by default by browsers and operating systems.
Requires validation of identity (DV, OV, EV) and often costs money.
Required for public-facing websites to avoid security warnings.
Automated renewal possible (e.g., Let's Encrypt).
CRL (Certificate Revocation List)
A list of serial numbers of revoked certificates published by the CA.
Clients download the entire list periodically.
Can be large and slow to download, especially for big CAs.
Not real-time; updates may be delayed (e.g., daily).
No privacy concern because the client does not contact the CA for each certificate.
OCSP (Online Certificate Status Protocol)
A real-time protocol where the client queries the CA's responder for a specific certificate's status.
Returns 'good', 'revoked', or 'unknown' for each query.
Fast and efficient for individual checks.
Real-time status, but requires the OCSP responder to be available.
Privacy concern: the CA learns which certificates the client is checking.
Mistake
A digital certificate is used to encrypt all data in a TLS session.
Correct
The certificate primarily provides authentication and contains the public key used to encrypt a pre-master secret during the TLS handshake. After the handshake, symmetric encryption (e.g., AES) is used for the actual data, not the certificate's public key.
Mistake
Self-signed certificates are inherently insecure and should never be used.
Correct
Self-signed certificates are cryptographically valid; they are just not trusted by default because there is no third-party verification. They are acceptable for internal testing or lab environments where trust can be established manually.
Mistake
A wildcard certificate (*.example.com) can also be used for example.com (the root domain).
Correct
A wildcard certificate covers only one level of subdomains (e.g., www.example.com, mail.example.com). It does not cover the bare domain (example.com) unless the certificate explicitly includes the root domain as a SAN. Many wildcard certificates do include the root domain, but it is not guaranteed.
Mistake
Once a certificate is revoked, it is immediately removed from all clients' trust stores.
Correct
Revocation is a process: the CA marks the certificate as revoked and publishes it in a CRL or makes it available via OCSP. Clients must check these sources to know the status. If a client does not check (e.g., because CRL is not configured), it may still trust the revoked certificate.
Mistake
A certificate's private key can be extracted from the certificate file itself.
Correct
The certificate file (.cer, .crt) contains only the public key and identity information. The private key is stored separately and must be protected. A .pfx/.p12 file may contain both, but it is encrypted with a password.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In Windows, you can create a self-signed certificate using PowerShell with the New-SelfSignedCertificate cmdlet. For example: `New-SelfSignedCertificate -DnsName "myserver.local" -CertStoreLocation "Cert:\LocalMachine\My"`. This creates a certificate in the local machine's personal store. You can then export it if needed. Note that self-signed certificates are not trusted by browsers; you must install the certificate in the trusted root store to avoid warnings. For testing, this is acceptable.
A .cer file contains only the public certificate (no private key). It is used to distribute the certificate to clients. A .pfx file (also .p12) contains both the certificate and its private key, protected by a password. .pfx files are used to move a certificate with its private key between systems, such as from a CA to a server. Never share a .pfx file with untrusted parties because it includes the private key.
A name mismatch error occurs when the domain name in the browser's address bar does not match the Common Name (CN) or any Subject Alternative Name (SAN) in the certificate. For example, if your certificate is issued for www.example.com but you access https://example.com, the browser will warn you. To fix, either use the correct URL or obtain a certificate that covers both names (e.g., a SAN certificate with both www.example.com and example.com).
You can check revocation status by examining the certificate's CRL Distribution Points (CDP) extension, which provides URLs to download the CRL. Or use the Authority Information Access (AIA) extension for OCSP responder URLs. In a browser, you can view the certificate details and look for the CRL or OCSP information. Command-line tools like OpenSSL can also check: `openssl verify -crl_check -CAfile ca.pem cert.pem` (if you have the CRL). Most browsers automatically check revocation if configured.
Intermediate CA certificates sit between the root CA and end-entity certificates. They are signed by the root CA and used to issue end-entity certificates. This hierarchy protects the root CA: if an intermediate CA is compromised, the root can revoke it without re-issuing all root certificates. Clients must have the intermediate certificate to build the trust chain. Servers should send the intermediate certificate during the TLS handshake so clients can validate the chain.
Renewing a certificate typically involves generating a new CSR (or using the existing key) and submitting it to the CA. For Let's Encrypt, use CertBot which automates renewal: `sudo certbot renew`. For manual renewal, create a new CSR: `openssl req -new -key existingkey.pem -out newcsr.csr`, submit to CA, then replace the old certificate file with the new one and restart the web server. Always test after renewal.
Yes, if the certificate covers the domain name(s) used on those servers. You can copy the certificate and private key to each server. However, this increases the risk of private key exposure. A more secure approach is to use a centralized certificate management solution or a hardware security module (HSM). For load-balanced environments, you can install the same certificate on each load balancer or use a shared storage solution.
You've just covered Certificate Management for A+ — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?