6 exercises — certificate rotation and pinning, internal PKI, keystore/truststore formats, and HSM key ceremony vocabulary.
0 / 6 completed
1 / 6
Complete: "We rotate TLS certificates 30 days before expiry using cert-manager with Let's Encrypt ACME." What does this sentence correctly describe?
This sentence describes standard modern certificate rotation vocabulary:
• Certificate expiry: the "Not After" date after which a certificate is no longer valid — Let's Encrypt certificates are valid for 90 days, deliberately short to encourage automation • Renewal window: the period before expiry during which automated renewal should trigger (30 days is a common safety margin, allowing retries if the first renewal attempt fails) • Automated rotation: the process runs without human intervention — critical because expired certificates are one of the most common causes of production outages • cert-manager: a widely-used Kubernetes controller that automates certificate issuance and renewal • ACME (Automatic Certificate Management Environment): the protocol Let's Encrypt (and other modern CAs) use to automate domain validation and certificate issuance without human interaction
2 / 6
What is "certificate pinning," and why has HPKP (HTTP Public Key Pinning) been deprecated in favour of alternatives?
Certificate/public key pinning defends against a compromised or coerced CA issuing a fraudulent certificate for your domain — even a "trusted" CA misissuing a cert wouldn't be accepted if it doesn't match the pinned key.
Vocabulary: • Public key pinning: pinning the public key (not the whole certificate) so pins survive certificate renewal, as long as the same key pair is reused • HPKP (deprecated): an HTTP header (Public-Key-Pins) that let a server tell browsers to remember and enforce pins — removed from browsers because a bad deployment (lost keys, misconfigured pins) could brick access to a domain with no way to recover, a risk considered worse than the attack it defended against • Static pin: a pin embedded directly in application code at build time (common in mobile apps) rather than delivered dynamically over HTTP • Pin backup: best practice requires pinning at least one backup key (e.g. an intermediate not yet in active use) so rotating certificates doesn't require an app update first
3 / 6
What is the correct description of "internal PKI" (a private Certificate Authority)?
Many organisations run a private/internal CA for infrastructure that never needs to be trusted by the public internet:
• Private CA: a root certificate authority the organisation controls, whose root certificate is explicitly installed/trusted only on internal machines — never in public browser trust stores • Intermediate CA: same chain-of-trust pattern as public PKI, keeping the private root offline and issuing day-to-day certificates from an intermediate • Certificate Policy (CP): a document describing what a certificate issued under this CA actually means/asserts (e.g. "this certificate identifies an internal microservice") • Certification Practice Statement (CPS): the operational document describing HOW the CA actually performs issuance, validation, storage, and revocation — the practical implementation of the policy
Common use cases: mutual TLS (mTLS) between microservices, VPN client certificates, internal admin dashboards, and IoT device identity — situations where public CA validation processes are unnecessary overhead.
4 / 6
What is the correct distinction between a Java keystore (JKS), PKCS#12, PEM, and DER formats?
This distinction trips up many engineers because the terms mix "encoding" and "container" concepts:
Encoding formats (for a single cert or key): • PEM: base64 text wrapped with headers like -----BEGIN CERTIFICATE----- / -----BEGIN PRIVATE KEY----- — human-readable, easy to concatenate multiple certs in one file, the most common format on Linux/nginx/Apache • DER: the raw binary encoding PEM is base64 of — used directly by some Windows/Java tooling
Keystore/container formats (bundle key + cert chain + optional password protection): • PKCS#12 (.p12 / .pfx): a cross-platform, password-protectable container holding a private key plus its certificate chain — used by Windows, and importable into Java • JKS (Java KeyStore): Java's own proprietary keystore format, historically the default for Java applications (Java 9+ now defaults to PKCS#12 instead)
Practical translation commands are common interview/on-call knowledge: openssl pkcs12 -export to build a .p12 from PEM files, keytool -importkeystore to convert between JKS and PKCS#12.
5 / 6
In HSM (Hardware Security Module) vocabulary, what does a "key ceremony" refer to?
A key ceremony is a highly controlled, often video-recorded and independently witnessed procedure for the most sensitive cryptographic operations — most commonly generating or backing up a root CA's private key.
Vocabulary: • HSM (Hardware Security Module): a dedicated, tamper-resistant hardware device that generates and stores private keys such that they can never be extracted in plaintext — all cryptographic operations happen inside the device • Quorum: a rule requiring a minimum number of authorised people (e.g. "3 of 5") to be present together to perform a sensitive operation, preventing any single person from acting alone • Key custodian: an individual entrusted with a share/portion of a split secret needed to reconstruct or access the protected key — no single custodian holds the complete secret • Split knowledge: the underlying principle — a secret is divided among multiple parties such that a subset below the quorum threshold learns nothing useful
Public root CAs (the ones pre-trusted in browsers) are required to perform audited key ceremonies as part of their compliance obligations (e.g. WebTrust audits).
6 / 6
A colleague asks: "our internal service certificates keep silently expiring and breaking production — what PKI management practice should we adopt?" What is the correct professional answer?
Certificate expiry outages are one of the most common, well-documented, and entirely preventable operational failures in production systems — famous public examples include major outages at large tech companies caused by exactly this.
The professional fix combines several PKI management practices covered in this category: 1. Automated rotation: tooling (cert-manager, ACME clients) that renews certificates automatically well before expiry, without human action 2. Short validity periods: counterintuitively, SHORTER-lived certificates (like Let's Encrypt's 90 days) force automation to be built and tested regularly, rather than allowing a 10-year certificate to be "set and forgotten" until it unexpectedly breaks something 3. Expiry monitoring and alerting: dashboards/alerts that flag certificates approaching their renewal window, as a safety net for when automation fails
Extending validity periods (option A) makes the underlying problem worse, not better — it just delays the eventual failure and removes the pressure to build proper automation.
Yes. Every exercise on CoderSlingo, including this one, is free to use with no account, sign-up, or paywall.
How many questions are in "PKI Management Language — Cryptography & PKI Exercises"?
This exercise has 6 questions. Each one gives instant feedback with an explanation, so you can see exactly why an answer is right or wrong.
Do I need to create an account to save my progress?
No account is required. The progress bar and score are tracked in your browser for the current session -- the exercise is designed to be a quick, repeatable drill rather than something you resume later.
What happens if I get an answer wrong?
You'll see the correct answer highlighted immediately, along with a short explanation of why it's correct. Wrong answers aren't penalized beyond your score, and you can keep going through every question.
How is this exercise different from reading an article?
Articles explain vocabulary and concepts through prose, while exercises like this one are interactive drills -- multiple-choice questions -- that test and reinforce your recall of specific terms and phrasing.
Can I retry this exercise?
Yes -- use the "Try again" button on the results screen to reset your score and go through all the questions again from the start.
Where can I find more Cryptography & PKI exercises?
Browse the full Cryptography & PKI hub for related drills, or check the site-wide exercises index for other IT English topics.
Is this exercise suitable for beginners?
This exercise assumes basic familiarity with IT terminology. If a term feels unfamiliar, check the site Glossary for a plain-English definition before attempting the questions.
How often is new content like this published?
New exercises are added regularly across all categories, alongside new vocabulary sets and articles. Check back on the exercises hub to see what's new.