You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network either run Windows Server 2003 or Windows Server 2008 and all client computers run Windows Vista.
The company possesses a public key infrastructure (PKI) that consists of an offline root certification authority (CA) and two Enterprise Subordinate CAs that run Windows Server 2003.
You publish the certificates to the user accounts and the computer accounts in Active Directory.
Which of the following options would you choose to create a PKI solution for the Windows Vista client computers and the Windows Server 2008 servers in such a way that the certificates must support Suite B hashing and encryption algorithms and store private keys in Active Directory in minimum amount of administrative effort?
A.
Configure cross-certification between the CA hierarchies by creating a new PKI that uses Windows Server 2008 CAs.
B.
Install a new Windows Server 2008 enterprise subordinate CA.
C.
Install a new Windows Server 2008 stand-alone subordinate CA.
D.
Create a new Active Directory forest and configure one-way forest trusts between the two forests by deploying a new PKI that uses Windows Server 2008 CAs.
E.
None of the above.
Explanation:
To create a PKI solution for the Windows Vista client computers and the Windows Server 2008 servers that meed the desired requirements, you need to install a new Windows Server 2008 enterprise subordinate CA.
To use SuiteB algorithms for cryptographic operations, you first need a Windows Server 2008-based CA to issue certificates that are SuiteB-enabled
Suite B algorithms such as ECC are supported only on the Windows Vista ® and Windows Server 2008 operating systems. This means it is not possible to use those certificates on earlier versions of Windows such as Windows XP or Windows Server 2003.
If you already have a PKI with CAs running Windows Server 2003 or where classic algorithms are being used to support existing applications, you can add a subordinate CA on a server running Windows Server 2008, but you must continue using classic algorithms.
Reference: Cryptography Next Generation / How should I prepare to deploy this feature? http://technet.microsoft.com/en-us/library/cc730763.aspx
The right aswer is A.
http://technet.microsoft.com/en-us/library/cc730763.aspx
To introduce Suite B algorithms into an existing environment where classic algorithms are used, consider adding a second PKI and perform a cross-certification between the two CA hierarchies.