PrepAway - Latest Free Exam Questions & Answers

Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate C

PrepAway - Latest Free Exam Questions & Answers

Your company has an Active Directory domain. All servers run Windows Server 2008 R2.
Your company uses an Enterprise Root certification authority (CA) and an Enterprise
Intermediate CA.
The Enterprise Intermediate CA certificate expires.
You need to deploy a new Enterprise Intermediate CA certificate to all computers in the
domain.
What should you do?

A.
Import the new certificate into the Intermediate Certification Store on the Enterprise Root
CA server.

B.
Import the new certificate into the Intermediate Certification Store on the Enterprise
Intermediate CA server.

C.
Import the new certificate into the Intermediate Certification Store in the Default Domain
Controllers group policy object.

D.
Import the new certificate into the Intermediate Certification Store in the Default Domain
group policy object.

Explanation:
http://technet.microsoft.com/en-us/library/cc962065.aspx
Certification Authority Trust Model
Certification Authority Hierarchies
The Windows 2000 public key infrastructure supports a hierarchical CA trust model, called
the certification hierarchy, to provide scalability, ease of administration, and compatibility
with a growing number of commercial third-party CA services and public key-aware
products. In its simplest form, a certification hierarchy consists of a single CA. However, the
hierarchy usually contains multiple CAs that have clearly defined parent-child relationships.
Figure 16.5 shows some possible CA hierarchies.

You can deploy multiple CA hierarchies to meet your needs. The CA at the top of the
hierarchy is called a root CA . Root CAs are self-certified by using a self-signed CA
certificate. Root CAs are the most trusted CAs in the organization and it is recommended
that they have the highest security of all. There is no requirement that all CAs in an
enterprise share a common top-level CA parent or root. Although trust for CAs depends on
each domain’s CA trust policy, each CA in the hierarchy can be in a different domain.
Child CAs are called subordinate CAs. Subordinate CAs are certified by the parent CAs. A
parent CA certifies the subordinate CA by issuing and signing the subordinate CA certificate.
A subordinate CA can be either an intermediate or an issuing CA. An intermediate CA issues
certificates only to subordinate CAs. An issuing CA issues certificates to users, computers,
or services.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/605dbf9d-2694-
4783-8002-c08b9c7d4149
Forum FAQ: How to import certificate into Intermediate Certification Authorities store?
Question)
How to
import certificate into Intermediate Certification Authorities store?
Answer)
In Windows Server 2008 or Windows Server 2008 R2 domain, we can import intermediate
CA certificates using group policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key
Policies\Intermediate Certification AUthorities
The policy is not available in Windows Server 2003. For Windows 2003 domain, you can
write a script that uses the following command to push out the intermediate CA certificate via
group policy. The server will have to be rebooted for this to take effect.
Certutil –f –addstore CA <intermediate CA name>.crt
Note: CA is the programmatic name of the Intermediate Certification Authorities store.


Leave a Reply