Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue
certificates.
You need to implement key archival.
What should you do?
A.
Configure the certificate for automatic enrollment for the computers that store encrypted
files.
B.
Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted
files.
C.
Apply the Hisecdc security template to the domain controllers.
D.
Archive the private key on the server.
Explanation:
Answer) Archive the private key on the server.http://technet.microsoft.com/en-us/library/cc753011.aspx
Enable Key Archival for a CA
Before a key recovery agent can use a key recovery certificate, the key recovery agent must
have enrolled for the key recovery certificate and be registered as the recovery agent for the
certification authority (CA).
You must be a CA administrator to complete this procedure.
To enable key archival for a CA:
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. Click the Recovery Agents tab, and then click Archive the key.
5. In Number of recovery agents to use, type the number of key recovery agents that will be
used to encrypt the archived key.The Number of recovery agents to use must be between one and the number of key
recovery agent certificates that have been configured.
6. Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that
are displayed, and click OK.
7. The certificates should appear in the Key recovery agent certificates list, but their status is
listed as Not loaded.
8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has
restarted, the status of the certificates should be listed as Valid.
Further information:
http://technet.microsoft.com/en-us/library/ee449489%28v=ws.10%29.aspx
Key Archival and Management in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc730721.aspx
Managing Key Archival and Recovery