A security professional is implementing a solution to verify the authenticity of a digital certificate. Which component of a PKI is responsible for issuing and revoking certificates?
The CA issues and revokes digital certificates.
Why this answer
The Certificate Authority (CA) is the core component of a Public Key Infrastructure (PKI) responsible for issuing digital certificates and, crucially, for revoking them when they are no longer trusted. While other components support certificate status checking or verification, only the CA has the authority to sign and publish certificates or revocation information.
Exam trap
The trap here is that candidates confuse the OCSP responder or CRL as the entity that performs revocation, when in fact they are merely mechanisms to check or distribute revocation status, while only the CA has the authority to issue or revoke a certificate.
How to eliminate wrong answers
Option A is wrong because an OCSP responder is a service that provides real-time certificate status (valid, revoked, or unknown) by querying the CA's database, but it does not issue or revoke certificates. Option C is wrong because a Certificate Revocation List (CRL) is a published list of revoked certificates maintained by the CA, but it is a data structure, not the entity that performs the revocation action. Option D is wrong because a Registration Authority (RA) is an optional component that verifies the identity of certificate requestors and forwards requests to the CA, but it does not have the authority to issue or revoke certificates itself.