Your network contains an Active Directory domain named adatum.com. The domain contains a server named
CA1 that runs Windows Server 2012 R2. CA1 has the Active Directory Certificate Services server role installed
and is configured to support key archival and recovery.
You need to ensure that a user named User1 can decrypt private keys archived in the Active Directory
Certificate Services (AD CS) database. The solution must prevent User1 from retrieving the private keys from
the AD CS database.
What should you do?

A.
Assign User1 the Issue and Manage Certificates permission to CA1.

B.
Assign User1 the Read permission and the Write permission to all certificate templates.

C.
Provide User1 with access to a Key Recovery Agent certificate and a private key.

D.
Assign User1 the Manage CA permission to CA1.

Explanation:
Understanding the Key Recovery Agent Role
KRAs are Information Technology (IT) administrators who can decrypt users’ archived private keys. An
organization can assign KRAs by issuing KRA certificates to designated administrators and configure them on
the CA. The KRA role is not one of the default roles defined by the Common Criteria specifications but a virtual
role that can provide separation between Certificate Managers and the KRAs. This allows the separation
between the Certificate Manager, who can retrieve the encrypted key from the CA database but not decrypt it,
and the KRA, who can decrypt private keys but not retrieve them from the CA database.
Understanding User Key Recovery