Your network contains an Active Directory domain named adatum.com. The domain contains a
server named CA1 that runs Windows Server 2012 R2. CA1 has the Active Directory Certificate
Services server role installed and is configured to support key archival and recovery.
You need to ensure that a user named User1 can decrypt private keys archived in the Active
Directory Certificate Services (AD CS) database. The solution must prevent User1 from retrieving the
private keys from the AD CS database.
What should you do?

A.
Assign User1 the Issue and Manage Certificates permission to CA1.

B.
Assign User1 the Read permission and the Write permission to all certificate templates.

C.
Provide User1 with access to a Key Recovery Agent certificate and a private key.

D.
Assign User1 the Manage CA permission to CA1.

Explanation:
Understanding the Key Recovery Agent Role
KRAs are Information Technology (IT) administrators who can decrypt users’ archived private keys.
An organization can assign KRAs by issuing KRA certificates to designated administrators and
configure them on the CA. The KRA role is not one of the default roles defined by the Common
Criteria specifications but a virtual role that can provide separation between Certificate Managers
and the KRAs. This allows the separation between the Certificate Manager, who can retrieve the
encrypted key from the CA database but not decrypt it, and the KRA, who can decrypt private keys
but not retrieve them from the CA database.

Understanding User Key Recovery