PrepAway - Latest Free Exam Questions & Answers

You need to back up Active Directory Certificate Services on the C

PrepAway - Latest Free Exam Questions & Answers

You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware
security module.
You need to back up Active Directory Certificate Services on the CA.
Which command should you run?

A.
certutil.exe backup

B.
certutil.exe backupdb

C.
certutil.exe backupkey

D.
certutil.exe store

Explanation:
Because a hardware security module (HSM) is used that stores the private keys, the command certutil.
exe -backupwould fail, since we cannot extract the private keys from the module. The HSM should have a
proprietary procedure for that.
The given commands are:
certutil -backup
Backup set includes certificate database, CA certificate an the CA key pair
certutil -backupdb
Backup set only includes certificate database
certutil -backupkey
Backup set only includes CA certificate and the CA key pair
certutil -store
Provides a dump of the certificate store onscreen.
Since we cannot extract the keys from the HSM we have to use backupdb.
Reference 1:
Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004)
page 215
For the commands listed above.
Reference 2:
http://technet.microsoft.com/en-us/library/cc732443.aspx
Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe
to dump and display certification authority (CA) configuration information, configure Certificate Services, back
up and restore CA components, and verify certificates, key pairs, and certificate chains.
Syntax
Certutil <-parameter> [-parameter]
Parameter
-backupdb
Backup the Active Directory Certificate Services database
Reference 3:
http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate-services/
Blog with extra info, tips and a post:
kids says:
Hello,
Need your expert view on this question:
You have an enterprise subordinate certificate authority (CA). The CA is configured to use a hardware security
module. You need to back up Active Directory Certificate Services on the CA
– certutil.exe -backupkey
– certutil.exe -backup
– certutil.exe -store
– certutil.exe -backupdb
the answer is -backupdb since it using hardware security module(HSM). Am i correct?
DXter says:
Yes. But I whould have used: certutil.exe -backupdb KeepLog


Leave a Reply