Your company has an Active Directory domain. You have a two-tier PKI infrastructure that
contains an offline root CA and an online issuing C
A.
The Enterprise certification authority is running Windows Server 2008 R2.
You need to ensure users are able to enroll new certificates.
What should you do?
Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the
CertEnroll folder on the issuing CA.
A.
The Enterprise certification authority is running Windows Server 2008 R2.
You need to ensure users are able to enroll new certificates.
What should you do?
Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the
CertEnroll folder on the issuing CA.
B.
Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the
SysternCertificates folder in the users’ profile.
C.
Import the root CA certificate into the Trusted Root Certification Authorities store on all
client workstations.
D.
Import the issuing CA certificate into the Intermediate Certification Authorities store on all
client workstations.
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certificationauthority-ca.aspx
Offline Root Certification Authority (CA)
A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates
a self-signed certificate. This means that the root CA is validating itself (self-validating). This
root CA could then have subordinate CAs that effectively trust it. The subordinate CAs
receive a certificate signed by the root CA, so the subordinate CAs can issue certificates that
are validated by the root CA. This establishes a CA hierarchy and trust path.
CA Compromise
If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an
unauthorized or malicious person), then all of the certificates that were issued by that CA are
also compromised. Since certificates are used for data protection, identification, and
authorization, the compromise of a CA could compromise the security of an entire
organizational network. For that reason, many organizations that run internal PKIs install
their root CA offline. That is, the CA is never connected to the company network, which
makes the root CA an offline root CA. Make sure that you keep all CAs in secure areas with
limited access.
To ensure the reliability of your CA infrastructure, specify that any root and non-issuing
intermediate CAs must be offline. A non-issuing CA is one that is not expected to provide
certificates to client computers, network devices, and so on. This minimizes the risk of the
CA private keys becoming compromised, which would in turn compromise all the certificates
that were issued by the CA.
How Do Offline CAs issue certificates?
Offline root CAs can issue certificates to removable media devices (e.g. floppy disk, USB
drive, CD/DVD) and then physically transported to the subordinate CAs that need the
certificate in order to perform their tasks. If the subordinate CA is a non-issuing intermediate
that is offline, then it will also be used to generate a certificate and that certificate will be
placed on removable media. Each CA receives its authorization to issue certificates from the
CA directly above it in the CA hierarchy. However, you can have multiple CAs at the same
level of the CA hierarchy. Issuing CAs are typically online and used to issue certificates to
client computers, network
devices, mobile devices, and so on. Do not join offline CAs to an Active Directory Domain
Services domain Since offline CAs should not be connected to a network, it does not make
sense to join them to an Active Directory Domain Services (AD DS) domain, even with the
Offline Domain Join [This link is external to TechNet Wiki. It will open in a new window.]
option introduced with Windows 7 and Windows Server 2008 R2.
Furthermore, installing an offline CA on a server that is a member of a domain can cause
problems with a secure channel when you bring the CA back online after a long offline
period. This is because the computer account password changes every 30 days. You can
get around this by problem and better protect your CA by making it a member of a
workgroup, instead of a domain. Since Enterprise CAs need to be joined to an AD DS
domain, do not attempt to install an offline CA as a Windows Server Enterprise CA.
http://technet.microsoft.com/en-us/library/cc740209%28v=ws.10%29.aspx
Renewing a certification authority
A certification authority may need to be renewed for either of the following reasons:
Change in the policy of certificates issued by the CA
Expiration of the CA’s issuing certificate