You want to enable key archiving on a CA.
You need to issue a certificate from a specific template to the user who will recover private keys.
Which certificate template will you use as the basis for this certificate?
A. Kerberos authentication
B. Code signing
C. OCSP response signing
D. Key recovery agent