Your company uses a Windows 2008 Enterprise certificate authority (CA)to issue certificates.
You need to implement key archival.
What should you do?
A.
Configure the certificate for automatic enrollment for the computers that store encrypted files.
B.
Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.
C.
Apply the Hisecdc security template to the domaincontrollers.
D.
Archive the private key on the server.
Explanation:
Answer.Archive the private key on the server.
http://technet.microsoft.com/en-us/library/cc753011.aspx
Enable Key Archival for a CA
Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled for
the key recovery certificate and be registered as the recovery agent for the certification authority (CA).
You must be a CA administrator to complete this procedure.
To enable key archival for a CA:
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. Click the Recovery Agents tab, and then click Archive the key.
5. In Number of recovery agents to use, type the number of key recovery agents that will be used to encrypt
the archived key.
The Number of recovery agents to use must be between one and the number of key recovery agent
certificates that have been configured.
6. Click Add. Then, in Key Recovery Agent Selection,click the key recovery certificates that are displayed, and
click OK.
7. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Not
loaded.
8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the statusof
the certificates should be listed as Valid.
Further information:
http://technet.microsoft.com/en-us/library/ee449489%28v=ws.10%29.aspx
Key Archival and Management in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc730721.aspx
Managing Key Archival and Recovery
D