You have an enterprise certification authority (CA) named CA1.
You configure a recovery agent for CA1.
On CA1, you create a new certificate template named CertTemplate1, and then you configure CA1
to allow certificates to be requested based on CertTemplate1.
You need to ensure that new certificates issued based on CertTemplate1 can be recovered.
What should you do?
A.
From the Certificate Templates console, modify the Issuance Requirements settings of
CertTemplate1.
B.
From the Certification Authority console, modify the enrollment agents of CA1.
C.
From the Certificate Templates console, modify the Request Handling settings of CertTemplate1.
D.
From the Certification Authority console, modify the certificate managers of CA1.
Explanation:
The key archival process takes place when a certificate is issued. Therefore, a certificate template
must be modified to archive keys before any certificates are issued based on this template.
See step 7 below.
To configure a certificate template for key archival and recovery
1. Open the Certificate Templates snap-in.
2. In the details pane, right-click the certificate template that you want to change, and then
click Duplicate Template.
3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of
your certification authorities (CAs) and client computers are running Windows Server 2008 R2,
Windows Server 2008, Windows 7, or Windows Vista.
4. In Template, type a new template display name, and then modify any other optional
properties as needed.
5. On the Security tab, click Add, type the name of the users or groups you want to issue the
certificates to, and then click OK.
6. Under Group or user names, select the user or group names that you just added. Under
Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the
certificate, also select the Autoenroll check box.
7. On the Request Handling tab, select the Archive subject’s encryption private key check box.
8. If users already have EFS certificates that are not configured for key archival and recovery,
click the Superseded Templates tab, clickAdd, and then click the name of the template that you
want to replace.
9. Click OK. Configure a Certificate Template for Key Archival
https://technet.microsoft.com/en-us/library/cc753826.aspx
B
High Assurance (1.3.6.1.4.1.311.21.8.x.y.z.1.402). The high assurance object identifier is used to represent certificates that are issued with the highest security. For example, the issuance of a key recovery agent certificate might require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from an enterprise CA.
To modify an issuance policy
Open the Certificate Templates snap-in.
In the details pane, right-click the certificate template that you want to change, and then click Properties.
Click the Issuance Requirements tab.
Provide the requested information
https://technet.microsoft.com/en-us/library/cc753139(v=ws.11).aspx
0
4
Sorry, A
0
2
this is not what’s being asked for, you are targeting different objective.
given answer is correct (explanation step 7 to be exact)
3
0