You have an enterprise subordinate certification authority (CA). The CA is configured to use
a hardware security module.
You need to back up Active Directory Certificate Services on the CA.
Which command should you run?

A.
certutil.exe backup

B.
certutil.exe backupdb

C.
certutil.exe backupkey

D.
certutil.exe store

Explanation:
Because a hardware security module (HSM) is used that stores the private keys, the
command certutil. exe -backup would fail, since we cannot extract the private keys from the
module. The HSM should have a proprietary procedure for that.
The given commands are:
certutil -backup
Backup set includes certificate database, CA certificate an the CA key pair
certutil -backupdb
Backup set only includes certificate database
certutil -backupkey
Backup set only includes CA certificate and the CA key pair
certutil –store Provides a dump of the certificate store onscreen.
Since we cannot extract the keys from the HSM we have to use backupdb.
Reference 1)
Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004)
page 215
For the commands listed above.
Reference 2)
http://technet.microsoft.com/en-us/library/cc732443.aspx
Certutil.exe is a command-line program that is installed as part of Certificate Services. You
can use Certutil.exe to dump and display certification authority (CA) configuration
information, configure Certificate Services, back up and restore CA components, and verify
certificates, key pairs, and certificate chains.
Syntax
Certutil <-parameter> [-parameter]
Parameter
-backupdb
Backup the Active Directory Certificate Services database
Reference 3)
http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificateservices/