You need to ensure that the client computers in both Contoso and Fabrikam trust each other’s email certificates

Your network contains an Active Directory domain named contoso.com.
You deploy Active Directory Certificate Services (AD CS).
Your company, which is named Contoso, Ltd., has a partner company named Fabrikam, Inc.
Fabrikam also deploys AD CS.
Contoso and Fabrikam plan to exchange signed and encrypted email messages.
You need to ensure that the client computers in both Contoso and Fabrikam trust each other’s email
certificates. The solution must prevent other certificates from being trusted and minimize
administrative effort.
What should you do?
More than one answer choice may achieve the goal. Select the BEST answer.

Your network contains an Active Directory domain named contoso.com.
You deploy Active Directory Certificate Services (AD CS).
Your company, which is named Contoso, Ltd., has a partner company named Fabrikam, Inc.
Fabrikam also deploys AD CS.
Contoso and Fabrikam plan to exchange signed and encrypted email messages.
You need to ensure that the client computers in both Contoso and Fabrikam trust each other’s email
certificates. The solution must prevent other certificates from being trusted and minimize
administrative effort.
What should you do?
More than one answer choice may achieve the goal. Select the BEST answer.

A.
Implement an online responder in each company.

B.
Exchange the root certification authority (CA) certificates of both companies, and then deploy the
certificates to the Enterprise Trust store by using Group Policy objects (GPOs).

C.
Implement cross-certification in each company.

D.
Exchange the root certification authority (CA) certificates of both companies, and then deploy the
certificates to the Trusted Root Certification Authorities store by using Group Policy objects (GPOs).

← Previous question

Next question →

Leave a Reply 4

OSA

Solution could be implemented by using either B or C.
https://technet.microsoft.com/en-us/library/cc737306(v=ws.10).aspx
Cross-certification is the recommended one by Microsoft as it gives more control. However CTL is easier to implement.
My issue with the answer is that exchange of CAs certificates is required to implement cross-certification. Answer B explicitly mentions exchange of certs while C does not.
C seems to be incomplete answer.

Reply

Billy

B does not minimize administrative effort. With cross-certification, the user only needs to have trust relationship with their own CA, then the CA will do the rest of the work. With B, the user’s machine must trust both individually.

Reply

JamesL

I believe the answer is B

You need to
Ensure that the client computers in both Contoso and Fabrikam trust each other’s email certificates.
The solution must prevent other certificates from being trusted
Minimize administrative effort.

C will minimise admin effort but would allow trust of all certs issued by the CA on which the cross certification has been associated therefore not meet the requirements

These links should help
https://redmondmag.com/articles/2003/11/01/cross-certification-trusts.aspx

http://windowsitpro.com/security/how-do-i-create-certificate-trust-list-domain

http://serverfault.com/questions/646806/what-is-the-purpose-of-a-custom-certificate-trust-list

https://technet.microsoft.com/en-us/library/cc728450(v=ws.10).aspx

Reply

Franklin Forsman

Thanks for the noteworthy website you’ve created at aiotestking.com. Your enthusiasm is absolutely contagious. Thanks again!

http://tonsilstonessurvivor.blogspot.com/

Reply