HOTSPOT
You have a server named Server1 that has the Web Server (IIS) server role installed.
You obtain a Web Server certificate.
You need to configure a website on Server1 to use Secure Sockets Layer (SSL).
To which store should you import the certificate?
To answer, select the appropriate store in the answer area.
Answer: 
Explanation:
http: //technet.microsoft.com/en-us/library/cc740068(v=ws.10).aspx
When you enable secure communications (SSL and TLS) on an Internet Information
Services (IIS) computer, you must first obtain a server certificate.
If it is a Self Signed certificate, it only can be used on the local server machine.
If it is a public certificate, you’ll need to download the CA root certificate of the certificate and
install the CA root certificate into the Trusted Root Certificate Authorities store.
Root certificates provide a level of trust that certificates that are lower in the hierarchy can
inherit. Each certificate is inspected for a parent certificate until the search reaches the root
certificate.
For more information about certificate, please refer to:
http: //technet.microsoft.com/en-us/library/cc700805.aspx
http: //support.microsoft.com/kb/232137/en-us
http: //www.sqlservermart.com/HowTo/Windows_Import_Certificate.aspxhttp: //msdn.microsoft.com/en-us/library/windows/hardware/ff553506%28v=vs.85%29.aspx
http: //www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis
http: //support.microsoft.com/kb/299875/en-us
http: //technet.microsoft.com/en-us/library/dd163531 .aspx
http://blogs.msdn.com/b/mosharaf/archive/2006/10/30/using-test-certificate-with-reportingservices-2005-to-establish-ssl-connection.aspx
The Web Hosting Certificate Store is new to Server 2012 and is probably the answer..
Placed into either Personal or Web Hosting IIS will be able to utilise it. For this exam I would lean towards Personal simply because Web Hosting is designed for when you have more than say 20 certificates.
agree, but i lean towards the web hosting store as it’s a new feature and probably better practice (since you might add 200 more certs after this first one).
https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm
great. the study material from MS doesn’t make a peep about IIS and then wants people to answer questions about it. This is the most crooked exam I ever came across.
Watch the TechEd event for 70-411,417. They explain that these exams are aimed at people who have actually used the product in depth. Wish people would stop gobbing off and actually use the products instead of simply reading the books\video training expecting to pass.
They are no objectives for Certification Authority but need to implement for labs with VPN, HRA (EAP), BitLocker, Web Application Proxy. At such a point you will know where that certificate for IIS needs to go.
Hey thanks for letting us know about TechEd. I had no idea!
Every role of Windows Server is something that larger organizations have teams of people dedicated to. Further, not every site needs failover clustering, IIS, VPN, NPS, BitLocker, or any of the dozens of potential features. I’ve administered Windows Server for about 10 years and there’s still things I don’t know because most jobs don’t require 100% knowledge of every feature of Windows and how to configure it via the GUI, command line, and powershell.
Memorizing powershell switches, registry keys, GPO folders, and other things are ridiculous. There are many questions in the MCSA exams that are “look it up once, configure it, document it, move on” scenarios and should never be committed to memory. The level of specialization the require on every feature is counter productive. If you have years of indepth work with GPOs to the point you memorize sub folders and need to delegate linking, your career path probably went away from needing a great deal of failover cluster managing because that would be handled by an entirely different team possibly in another building or state.
Windows does a lot of stuff and expecting people to memorize minutia of features they may never use is not productive. Most of us could probably build out a respectable domain in 3 hours without much effort, but asking for the name of a field in an applet or a sub switch of a command that might be used once is absurd.
11+ years administering windows env
100% agree with you
and i dont talk about win services managed by other team (ie radius sv managed by network team)
Agree also on the void between real world application of knowledge and what is expected from the exam.
It comes down to cost in the end. If MS designed a real-world syllabus for implementing everything Server 2012 can do it is pretty much a 2+ year university/college course.
That is expensive, so they get you to memorize facts that can be tested via multiple choice. Its lame, but it does force people to at least learn about the features, and there are a few interesting questions that do get you to think and look into something more deeply.
It’s just a gauge of how much you CARE about your work in the end, as even brain-dumping your way through an exam takes a time investment (and a significant one if you are like me and like to fully understand the answers).
I couldn’t agree more. I passed 410 but overall this question have nothing to do with real life and just force you to try memorize crap things you are not able and you gona have to check technet anyway before you start doing anything
Thanks for the TechEd tip 🙂
this exam is doing my head in
The answer is correct by the way.
SSL Certificates
Two kinds of certificates are used in HTTPS (HTTP over SSL) authentication:
•Server certificates. This certificate contains information about the server that allows a client to identify the server before sharing sensitive information.
•Client certificates. This certificate contains personal information about the user and identifies the SSL client (the sender) to the server.
Server Certificates
Before an SSL connection can be established for sending messages, the recipient computer requires a server certificate that resides in the Personal store under Certificates (Local Computer) in the Certificates snap-in on the recipient computer.
A server certificate obtained from a CA can be issued to the NetBIOS name or full DNS name of a computer. When HTTPS messages are sent, the destination specified in messages must be identical to the computer name in the recipient’s server certificate.
IIS on the recipient side must send the recipient’s server certificate to the sender for authentication. This server certificate, which contains the signature of the CA, the recipient’s public key, additional information on the recipient, and an expiration date, must be from a CA that the sender trusts. To authenticate the recipient computer, the sender verifies that it trusts the CA and validates the signature in the recipient’s server certificate.
When a sender computer trusts a CA, such as VeriSign or Microsoft Certificate Services, it has a certificate from that CA containing the CA’s signature and public key in the Trusted Root Certification Authorities store under Certificates (Local Computer) in the Certificates snap-in.
Client Certificates
An additional optional security component can be required for SSL sessions if IIS on the recipient side also requests the sender’s client certificate for authentication. Client certificates are also obtained from a trusted CA and are stored in the client’s Personal certificate store. The latter is accessible from the Certificates MMC snap-in on the sending computer.
local computer –> personal
588368 90909As soon as I detected this internet web site I went on reddit to share some with the enjoy with them. 206647