You are the network administrator for your company. The network consists of a single Active Directory domain. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named Server1.
You are planning a public key infrastructure (PKI) for the company. You want to deploy an enterprise certification authority (CA) on Server1. You create a new global security group named Cert Approvers. You install an enterprise CA and configure the CA to issue Key Recovery Agent certificates.
The company’s written security policy states that issuance of a Key Recovery Agent certificate requires approval from a member of the Cert Approvers group. All other certificates must be issued automatically.
You need to ensure that members of the Cert Approvers group can approve pending enrollment requests for a Key Recovery Agent certificate.
What should you do?

A.
Assign the Cert Approvers group the Allow – Enroll permission for the Key Recovery Agent certificate template.

B.
Assign the Cert Approvers group the Allow – Issue and Manage Certificates permission for the CA.

C.
For all certificate managers, add the Cert Approvers group to the list of managed subjects.

D.
Add the Cert Approvers group to the existing Cert Publishers group in the domain.

E.
Assign the Cert Approvers group the Allow – Full Control permission for the Certificate Templates container in the Active Directory configuration naming context.