You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.
You need to ensure that you can recover the private key of a certificate issued to a Web
server.
What should you do?

A.
From the CA, run the Get-PfxCertificate cmdlet.

B.
From the Web server, run the Get-PfxCertificate cmdlet.

C.
From the CA, run the certutil.exe tool and specify the -exportpfx parameter.

D.
From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.

Explanation:
http://technet.microsoft.com/en-us/library/ee449471%28v=ws.10%29.aspx

Manual Key Archival Manual key archival can be used in the following common scenarios
that are not supported by automatic key archival:
Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft®
Office Outlook.
Certificates issued by CAs that do not support key archival.
Certificates installed on the Microsoft Windows® 2000 and Windows Millennium Edition
operating systems.
This topic includes procedures for exporting a private key by using the following programs
and for importing a private key to a CA database:
Certutil.exe
Certificates snap-in
Microsoft Office Outlook
..
To export private keys by using Certutil.exe
1. Open a Command Prompt window.
2. Type the Certutil.exe –exportpfx command using the command-line options described in
the following table.
Certutil.exe [-p <Password>] –exportpfx <CertificateId> <OutputFileName>