CertHead

Network Security — Network+ practice questions

Domain 4 of the CompTIA Network+ (N10-009) exam. 131 questions on this domain in the full bank — here are four free samples with answers and explanations.

Question 1 · Difficulty 2/5

Which of the following best describes the purpose of a Certificate Authority (CA) in a Public Key Infrastructure (PKI)? (Select the best answer.)
  1. It encrypts data in transit between two endpoints using a symmetric key.
  2. It issues and digitally signs digital certificates to bind public keys to verified identities.
  3. It generates private keys on behalf of end entities and distributes them securely.
  4. It maintains a real-time database of active TLS sessions for auditing purposes.
Show answer & explanation

Correct answer: B

It issues and digitally signs digital certificates to bind public keys to verified identities.
A Certificate Authority (CA) is the trusted third party in a PKI whose core function is to issue and digitally sign X.509 certificates, binding a public key to a verified identity (person, device, or service). The CA does not perform symmetric encryption on behalf of endpoints, that is negotiated between communicating parties during a handshake (e.g., TLS). CAs do not generate or distribute private keys; private keys are generated locally by the entity and must never leave the endpoint. Maintaining TLS session logs is a network monitoring or SIEM function, not a PKI CA function.

Question 2 · Difficulty 3/5

A network administrator configures a new internal web application and installs a self-signed TLS certificate on the server. Users who visit the site receive a browser warning stating the certificate is not trusted. Which of the following most accurately explains why the browser displays this warning? (Select the best answer.)
  1. Self-signed certificates use a weaker encryption algorithm than CA-issued certificates.
  2. The certificate has expired because self-signed certificates are only valid for 24 hours by default.
  3. The certificate was signed by the server itself rather than by a CA present in the browser's trusted root store.
  4. Self-signed certificates cannot include a Subject Alternative Name (SAN), causing the hostname to mismatch.
Show answer & explanation

Correct answer: C

The certificate was signed by the server itself rather than by a CA present in the browser's trusted root store.
Browsers maintain a trusted root certificate store containing CA certificates from well-known, vetted authorities. A self-signed certificate is signed by its own private key, there is no chain of trust leading back to a root CA in the browser's store, so the browser cannot verify the issuer and displays an untrusted-certificate warning. Self-signed certificates are not inherently weaker in encryption algorithm, they can use the same key lengths and cipher suites as CA-issued certificates. There is no 24-hour validity default for self-signed certificates; validity is configurable by the administrator. Self-signed certificates can include SAN fields; the warning is about trust, not hostname matching per se.

Question 3 · Difficulty 3/5

A security engineer is reviewing data protection requirements. The team has determined that sensitive customer records stored on a database server must be protected so that even if the raw storage media is removed or stolen, the data remains unreadable. Which of the following encryption approaches directly addresses this requirement? (Select the best answer.)
  1. TLS 1.3 configured on the database server's network interface
  2. Encryption of data at rest applied to the database files or storage volume
  3. IPsec transport mode configured between the database server and application server
  4. SSH tunneling for all administrative connections to the database server
Show answer & explanation

Correct answer: B

Encryption of data at rest applied to the database files or storage volume
Encryption of data at rest protects data stored on disk, if the physical media is removed or stolen, the attacker cannot read the plaintext without the decryption key. TLS 1.3 protects data in transit across the network but provides no protection once the data is written to storage. IPsec transport mode also protects data in transit between two communicating hosts but not data stored on disk. SSH tunneling secures the administrative management channel but does not protect the database files themselves at rest.

Question 4 · Difficulty 2/5

Which of the following best describes the role of asymmetric encryption in a TLS handshake for data in transit? (Select the best answer.)
  1. It encrypts all application data exchanged after the handshake completes.
  2. It is used to securely exchange or derive the symmetric session key that will encrypt application data.
  3. It generates the message authentication code (MAC) that verifies data integrity.
  4. It compresses the payload before symmetric encryption is applied.
Show answer & explanation

Correct answer: B

It is used to securely exchange or derive the symmetric session key that will encrypt application data.
During a TLS handshake, asymmetric cryptography (e.g., RSA key exchange or ECDHE) is used to securely establish or derive a shared symmetric session key; all bulk application data is then encrypted with that symmetric key for performance reasons. Asymmetric encryption is not used for bulk data encryption because it is computationally expensive. MACs for integrity are produced using hash-based constructs (HMAC) with the negotiated session material, not directly by the asymmetric algorithm. TLS does not perform payload compression as part of the encryption algorithm itself.

More Network+ domains

Ready to test yourself for real?

The free quiz pulls live questions from the same banks — no account required.

Start the free quiz