Prev Question
Next Question

You have an enterprise certification authority (CA) named CA1.
You configure a recovery agent for CA1.
On CA1, you create a new certificate template named CertTemplate1, and then you configure CA1 to allow certificates to be requested based on CertTemplate1.
You need to ensure that new certificates issued based on CertTemplate1 can be recovered.

What should you do?

A. From the Certificate Templates console, modify the Issuance Requirements settings of CertTemplate1.

B. From the Certification Authority console, modify the enrollment agents of CA1.

C. From the Certificate Templates console, modify the Request Handling settings of CertTemplate1.

D. From the Certification Authority console, modify the certificate managers of CA1.

Explanation:
The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are
issued based on this template.
See step 7 below.
To configure a certificate template for key archival and recovery
Open the Certificate Templates snap-in.
In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template.
In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running
Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
In Template, type a new template display name, and then modify any other optional properties as needed.
On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK.
Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you
want to automatically issue the certificate, also select the Autoenroll check box.
On the Request Handling tab, select the Archive subject’s encryption private key check box.
If users already have EFS certificates that are not configured for key archival and recovery, click the Superseded Templates tab, click Add, and then click the
name of the template that you want to replace.
Click OK.
Reference: Configure a Certificate Template for Key Archival
https://technet.microsoft.com/en-us/library/cc753826.aspx

Prev Question
Next Question

Leave a Reply

Your email address will not be published. Required fields are marked *