Your company has an Active Directory domain. You install an Enterprise Root certification
authority (CA) on a member server named Server1.
You need to ensure that only the Security Manager is authorized to revoke certificates that
are supplied by Server1.
What should you do?

A.
Remove the Request Certificates permission from the Domain Users group.

B.
Remove the Request Certificated permission from the Authenticated Users group.

C.
Assign the Allow – Manage CA permission to only the Security Manager user Account.

D.
Assign the Allow – Issue and Manage Certificates permission to only the Security Manger
user account

Explanation:
http://technet.microsoft.com/en-us/library/cc732590.aspx
Implement Role-Based Administration
You can use role-based administration to organize certification authority (CA) administrators
into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by
using each user’s security settings.
You assign a role to a user by assigning that user the specific security settings that are
associated with the role. A user that has one type of permission, such as Manage CA

permission, can perform specific CA tasks that a user with another type of permission, such
as Issue and Manage Certificates permission, cannot perform.
The following table describes the roles, users, and groups that can be used to implement
role-based administration.
Roles and groups
Certificate manager
Security permission
Issue and Manage Certificates
Description
Approve certificate enrollment and revocation requests. This is a CA role. This role is
sometimes referred to as CA officer. These permissions are assigned by using the
Certification Authority snap-in.