Which of the following CA types would you deploy if you wanted to deploy a CA at the top of a
hierarchy that could issue signing certificates to other CAs and which would be taken offline if not
issuing, renewing, or revoking signing certificates?
A.
Enterprise root
B.
Enterprise subordinate
C.
Standalone root
D.
Standalone subordinate
Agreed,
Taking the CA offline suggests using Stand-alone vs Enterprise.
MikeZZL
4
0
A – Enterprise root
0
5
I was almost sure that C was correct, so when i saw your post saying that A was the correct one, even after mikieeee saying that provided answer was correct i did some research and here are the answers:
From Technet:
“Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module.”
Also: http://www.tech-faq.com/understanding-certificate-authorities.html
Stand-alone Root CA: A stand-alone root CA is also the topmost CA in the certificate chain. A stand-alone root CA is not however dependent on Active Directory, and can be removed from the network. This makes a stand-alone root CAs the solution for implementing a secure offline root CA.
So C-Standalone Root CA is definitely the right answer.
12
0
Forgot to post the link from Technet:
https://technet.microsoft.com/en-us/library/cc780501(WS.10).aspx
0
0
You’re right, as I keep my standalone server offline most of the time
1
0