Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to implement a Certificate Services solution that meets the following requirements:
Automates the distribution of certificates for internal users.
Ensures that the network’s certificate infrastructure is as secure as possible.
Gives external users access to resources that use certificate based authentication.
What should you do?
A.
Deploy an online standalone root certification authority (CA). Deploy an offline standalone root CA.
B.
Deploy an offline enterprise root certification authority (CA). Deploy an offline enterprise subordinate CA.
C.
Deploy an offline standalone root certification authority (CA). Deploy an online enterprise subordinate CA.
Deploy an online standalone subordinate CA.
D.
Deploy an online standalone root certification authority (CA). Deploy an online enterprise subordinate CA.
Deploy an online standalone subordinate CA.
Explanation:
CERTIFICATION AUTHORITY
Enterprise and stand-alone CAs can be configured aseither Root CAs or Subordinate CAs. Subordinate CAs
can further be configured as either Intermediate CAs (also referred to as a policy CA) or Issuing CAs.
Enterprise CAs are integrated with Active Directory. They publish certificates and CRLs to Active Directory.
Enterprise CAs use information stored in Active Directory, including user accounts and security groups, to
approve or deny certificate requests. Enterprise CAs use certificate templates. When a certificate is issued, the
enterprise CA uses information in the certificate template to generate a certificate with the appropriate attributes
for that certificate type.
If you want to enable automated certificate approval and automatic user certificate enrollment, use enterprise
CAs to issue certificates. These features are only available when the CA infrastructure is integrated with Active
Directory. Additionally, only enterprise CAs can issue certificates that enable smart card logon, because this
process requires that smart card certificates be mapped automatically to the user accounts in Active Directory.
Standalone CAs do not require Active Directory and do not use certificate templates. If you use stand-alone
CAs, all information about the requested certificate type must be included in the certificate request.By default,
all certificate requests submitted to stand-alone CAs are held in a pending queue until a CA administrator
approves them. You can configure stand-alone CAs toissue certificates automatically upon request, butthis is
less secure and is usually not recommended, becausethe requests are not authenticated.
Root CAis the CA that is at the top of a certification hierarchy and must be trusted unconditionally by clients in
your organization. All certificate chains terminateat a root CA. Whether you use enterprise or stand-alone CAs,
you need to designate a root CA. The decision to designate a CA as a trusted root CA can be made at either
the enterprise level or locally, by the individual IT administrator. You can maximize the security of the root CA
by keeping it disconnected from the network and using subordinate CAs to issue certificates to other
subordinate CAs or to end users.
Subordinate CAs that are non-root CAs. The first subordinate CA in a hierarchy obtains its CA certificate from
the root CA. This first subordinate CA can, in turn, use this key to issue certificates that verify the integrity of
another subordinate CA. These higher subordinate CAs are referred to as intermediate CAs. An intermediate
CA is subordinate to a root CA, but also serves as a higher certifying authority to one or more subordinate CAs.
An intermediate CA is often referred to as a policyCA because it is typically used to separate classes of
certificates that can be distinguished by policy.
Note: Most organizations use one root CA and two policy CAs – one to support internal users, the second to
support external users.
http://technet.microsoft.com/en-us/library/cc756989(v=ws.10).aspx