You need to ensure that new certificates issued based o…

You have an enterprise certification authority (CA) named CA1.
You configure a recovery agent for CA1.
On CA1, you create a new certificate template named CertTemplate1, and then you configure CA1 to allow
certificates to be requested based on CertTemplate1. You need to ensure that new certificates issued based on
CertTemplate1 can be recovered.
What should you do?

You have an enterprise certification authority (CA) named CA1.
You configure a recovery agent for CA1.
On CA1, you create a new certificate template named CertTemplate1, and then you configure CA1 to allow
certificates to be requested based on CertTemplate1. You need to ensure that new certificates issued based on
CertTemplate1 can be recovered.
What should you do?

A.
From the Certificate Templates console, modify the Issuance Requirements settings of CertTemplate1.

B.
From the Certification Authority console, modify the enrollment agents of CA1.

C.
From the Certificate Templates console, modify the Request Handling settings of CertTemplate1.

D.
From the Certification Authority console, modify the certificate managers of CA1.

Explanation:
The key archival process takes place when a certificate is issued. Therefore, a certificate template must be
modified to archive keys before any certificates are issued based on this template.
See step 7 below.
To configure a certificate template for key archival and recovery
1. Open the Certificate Templates snap-in.
2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate
Template.
3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your
certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server
2008, Windows 7, or Windows Vista.
4. In Template, type a new template display name, and then modify any other optional properties as
needed.
5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to,
and then click OK.
6. Under Group or user names, select the user or group names that you just added. Under Permissions,
select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select
the Autoenroll check box.
7. On the Request Handling tab, select the Archive subject’s encryption private key check box.
8. If users already have EFS certificates that are not configured for key archival and recovery, click the
Superseded Templates tab, click Add, and then click the name of the template that you want to replace.
9. Click OK.
Configure a Certificate Template for Key Archival https://technet.microsoft.com/en-us/library/
cc753826.aspx



Leave a Reply 0

Your email address will not be published. Required fields are marked *