Which of the following CA types would you deploy if you wanted to deploy a CA at the top of a
hierarchy that could issue signing certificates to other CAs and which would be taken offline if not
issuing, renewing, or revoking signing certificates?
A.
Enterprise root
B.
Enterprise subordinate
C.
Standalone root
D.
Standalone subordinate
https://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx
“If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized or malicious person), then all of the certificates that were issued by that CA are also compromised. Since certificates are used for data protection, identification, and authorization, the compromise of a CA could compromise the security of an entire organizational network. For that reason, many organizations that run internal PKIs install their root CA offline. That is, the CA is never connected to the company network, which makes the root CA an offline root CA. Make sure that you keep all CAs in secure areas with limited access.”
0
0
http://www.interfacett.com/blogs/deciding-between-enterprise-and-standalone-root-certification-authority-in-windows-server-2012/
“Never, ever create an Enterprise Root CA. I will find and personally humiliate you.”
0
0
Objective review 328
1. Which of the following CA types would you deploy if you wanted to deploy a CA at the top of a hierarchy that could issue signing certificates to other CAs and which would be taken offline if not issuing, renewing, or revoking signing certificates?
A. Enterprise root
B. Enterprise subordinate
C. Standalone root
D. Standalone subordinate
Correct Answer: C
A. Incorrect: Because enterprise CAs are integrated into Active Directory, they should not be taken offline.
B. Incorrect: Because enterprise CAs are integrated into Active Directory, they should not be taken offline. Additionally, subordinate CAs are not at the top of a CA hierarchy.
C. Correct: You can take a standalone root CA offline and it functions as the top of a CA hierarchy.
D. Incorrect: Subordinate CAs are not at the top of a CA hierarchy.
from the BOOK
1
0