What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $49 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Domain 3: Security Architecture11 min read

How to Solve PKI & Certificate PBQs on Security+

PKI and certificate PBQs test your ability to troubleshoot TLS/SSL problems, understand certificate chains, and identify why secure connections fail. This guide teaches you the systematic approach to diagnosing certificate issues.

Try a Free PBQ

Interactive simulation — no account required

What Is a PKI/Certificate PBQ?

PKI (Public Key Infrastructure) PBQs present you with certificate information, error messages, or PKI architecture and ask you to identify problems or select the correct certificate for a scenario. You're essentially troubleshooting why a secure connection is failing or designing a certificate hierarchy.

These questions test whether you understand how certificates actually work—validation chains, expiration, revocation, key usage, and trust relationships. You might be asked to:

Identify why a browser shows a certificate warning
Select the correct certificate type for a given use case
Troubleshoot a broken certificate chain
Determine which certificate fields indicate a specific problem
Match certificates to their appropriate purposes (server auth, code signing, email)

The Chain Must Be Complete

A certificate is only trusted if every certificate in its chain—from the server certificate up to a trusted root CA—is valid, unexpired, unrevoked, and present. One broken link anywhere in the chain causes the entire connection to fail.

The 5-Step Method for Certificate Troubleshooting

When presented with a certificate problem, work through these checks in order:

Check expiration dates. Look at the "Valid From" and "Valid To" fields. If the current date is outside this range, the certificate is either not yet valid or expired. This is the most common certificate error.

Verify the certificate chain. The server certificate should chain to an intermediate CA, which chains to a root CA. If any intermediate certificate is missing, the chain is broken and the browser won't trust it.

Confirm the subject matches. The certificate's Common Name (CN) or Subject Alternative Name (SAN) must match the domain you're connecting to. A certificate for "www.example.com" won't work for "mail.example.com" unless it's a wildcard (*.example.com).

Check revocation status. Certificates can be revoked before expiration if compromised. Look for CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) indicators showing the certificate has been revoked.

Validate key usage. Certificates are issued for specific purposes. A certificate with "Server Authentication" key usage can't be used for code signing. Using a certificate outside its intended purpose causes errors.

Certificate Types and Their Uses

The exam tests whether you can match the right certificate to the right scenario:

Domain Validated (DV)

Verifies domain ownership only. Fast to issue, lowest assurance level. Used for basic website encryption.

Use case: Blog, small business website, internal tools

Organization Validated (OV)

Verifies domain ownership plus organization identity. Moderate assurance level.

Use case: Corporate websites, business applications

Extended Validation (EV)

Rigorous verification of organization identity. Highest assurance level. Shows organization name in browser.

Use case: Banking, e-commerce, financial services

Wildcard Certificate

Covers a domain and all subdomains at one level (*.example.com covers www, mail, api).

Use case: Multiple subdomains on same server

SAN / Multi-Domain

Single certificate covering multiple distinct domains listed in Subject Alternative Names.

Use case: example.com, example.net, example.org on one server

Code Signing

Validates software publisher identity. Used to sign executables, scripts, drivers.

Use case: Software distribution, driver signing

Walkthrough: Diagnosing a Certificate Error

A user reports they can't access https://portal.company.com and see a certificate warning. Here's what the certificate shows:

X.509 Certificate Viewer

Identify all certificate issues

www.company.com

INVALID

Issued by Company Internal CA

Subject CN

www.company.com

Issuer

CN=Company Internal CA, O=Company Inc, C=US

Serial Number

0A:1B:2C:3D:4E:5F:6A:7B

Valid From

Jan 15, 2025 00:00:00 UTC

Valid To

Jan 15, 2026 23:59:59 UTC✕ EXPIRED

Current date: Jan 27, 2026 — Certificate expired 12 days ago

Key Usage

Digital Signature, Key Encipherment

Extended Key Usage

Server Authentication, Client Authentication

Subject Alt Names

DNS: www.company.com! MISMATCH

User accessing portal.company.com — not listed in SAN

Signature Algorithm

SHA-256 with RSA Encryption

Certificate Chain

End Entity

www.company.com

Intermediate

(Missing)

Root CA

Company Root CA

Valid

Warning

Error

Analysis

Issue 1: Certificate expired. The "Valid To" date is January 15, 2026, but the current date is January 27, 2026. The certificate is 12 days expired and will be rejected by all browsers.

Issue 2: Name mismatch. The user is accessing portal.company.com, but the certificate's Subject Alternative Names only lists www.company.com. The browser will show a "certificate name mismatch" error.

Issue 3: Incomplete chain. The intermediate CA certificate is missing from the chain. Even if the other issues were fixed, the browser can't build a trust path to the root CA.

Resolution: The organization needs to: (1) Renew the certificate immediately, (2) Include portal.company.com in the SAN or use a wildcard certificate (*.company.com), and (3) Configure the server to send the complete certificate chain including the intermediate CA.

Practice PKI Troubleshooting

Diagnose certificate errors in interactive scenarios.

Try a Free PBQ

Understanding the Certificate Chain

A certificate chain (or chain of trust) connects your server certificate to a trusted root certificate authority. Here's how it works:

Root CA — The ultimate trust anchor. Root CA certificates are pre-installed in browsers and operating systems. Organizations like DigiCert, Let's Encrypt, and Comodo operate root CAs. Root certificates are self-signed.

Intermediate CA — Issues certificates on behalf of the root CA. This protects the root—if an intermediate is compromised, only its certificates are affected, and it can be revoked without replacing the root.

Server/End-Entity Certificate — The certificate installed on your web server. It's signed by an intermediate CA (or sometimes directly by a root for internal CAs).

Validation process: When a browser connects, the server sends its certificate plus any intermediate certificates. The browser builds a chain from the server cert up to a root it trusts. If any link is missing, expired, or revoked, validation fails.

A common misconfiguration is failing to include intermediate certificates. The server certificate alone isn't enough—the browser needs the full chain.

Common Certificate Errors and Causes

Know what each error message indicates:

"Certificate has expired" — The current date is past the "Valid To" date. Renew the certificate.
"Certificate is not yet valid" — The current date is before the "Valid From" date. Server clock may be wrong, or certificate was deployed too early.
"Certificate name mismatch" — The domain in the URL doesn't match the certificate's CN or SAN. Need a new certificate covering the correct domain.
"Certificate authority is invalid" — The issuing CA isn't trusted by the browser. Often happens with self-signed or internal CA certificates.
"Unable to verify certificate chain" — Missing intermediate certificates. Server must send the full chain.
"Certificate has been revoked" — The CA revoked the certificate (possibly due to compromise). Need a new certificate.
"Certificate signature failure" — The certificate's digital signature doesn't validate. Could indicate tampering or corruption.

Certificate Fields to Know

When analyzing a certificate in a PBQ, focus on these key fields:

Subject — Who the certificate identifies. For server certs, this includes the CN (Common Name) which should match the domain.

Issuer — The CA that signed the certificate. Should chain to a trusted root.

Valid From / Valid To — The certificate's validity period. Most public certificates are valid for 1 year (some CAs now limit to 90 days).

Subject Alternative Name (SAN) — Additional domains covered by the certificate. Modern certificates rely heavily on SANs rather than just the CN.

Key Usage / Extended Key Usage — What the certificate can be used for: Server Authentication, Client Authentication, Code Signing, Email Protection, etc.

CRL Distribution Points — Where to check if the certificate has been revoked.

Serial Number — Unique identifier for the certificate, used in revocation checking.

Frequently Asked Questions

What is a PKI PBQ on the Security+ exam?

A PKI (Public Key Infrastructure) PBQ presents you with certificate information, error messages, or PKI scenarios and asks you to identify problems or select the correct solution. You might troubleshoot why a TLS connection fails, select the right certificate type for a use case, or identify what's wrong with a certificate chain.

What is a certificate chain?

A certificate chain is the sequence of certificates from your server certificate to a trusted root CA. The server cert is signed by an intermediate CA, which is signed by the root CA. Browsers validate this entire chain—if any certificate is missing, expired, or revoked, the connection fails.

What's the difference between a wildcard and a SAN certificate?

A wildcard certificate (*.example.com) covers all subdomains at one level—www.example.com, mail.example.com, api.example.com. A SAN (Subject Alternative Name) certificate lists specific different domains that may be completely unrelated—example.com, example.net, different-company.com.

Why do certificates expire?

Certificate expiration limits the damage from compromised keys and ensures organizations periodically reverify their identity. Shorter validity periods (now typically 1 year or less) mean stolen certificates become useless faster and cryptographic best practices can be updated more frequently.

Other PBQ Types

Firewall Configuration Log Analysis Network Diagrams Access Control

Practice What You've Learned

Apply these concepts with an interactive PKI & Certificates simulation.

Try a Free PBQ →