Your network contains an Active Directory domain named adatum.com. The domain
contains a server named CA1 that runs Windows Server 2012 R2. CA1 has the Active
Directory Certificate Services server role installed and is configured to support key archival
and recovery.
You need to ensure that a user named User1 can decrypt private keys archived in the Active
Directory Certificate Services (AD CS) database. The solution must prevent User1 from
retrieving the private keys from the AD CS database.
What should you do?
A.
Assign User1 the Issue and Manage Certificates permission to CA1.
B.
Assign User1 the Read permission and the Write permission to all certificate templates.
C.
Provide User1 with access to a Key Recovery Agent certificate and a private key.
D.
Assign User1 the Manage CA permission to CA1.
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/7573.active-directory-certificateservices-pki-keyarchival-and-management.aspx#Protecting_Key_Recovery_Agent_Keys
C.
Provide User1 with access to a Key Recovery Agent certificate and a private key.