HOTSPOT
You have a server named Server1 that has the Network Policy and Access Services server role
installed.
You plan to configure Network Policy Server (NPS) on Server1 to use certificate-based authentication
for VPN connections.
You obtain a certificate for NPS.
You need to ensure that NPS can perform certificate-based authentication.
To which store should you import the certificate?
To answer, select the appropriate store in the answer area.
Explanation:
When organizations deploy their own public key infrastructure (PKI) and install a private trusted root
CA, their CA automatically sends its certificate to all domain member computers in the organization.
The domain member client and server computers store the CA certificate in the Trusted Root
Certification Authorities certificate store. After this occurs, the domain member computers trust
certificates that are issued by the organization trusted root CA.
For example, if you install AD CS, the CA sends its certificate to the domain member computers in
your organization and they store the CA certificate in the Trusted Root Certification Authorities
certificate store on the local computer. If you also configure and autoenroll a server certificate for
your NPS servers and then deploy PEAP-MS-CHAP v2 for wireless connections, all domain member
wireless client computers can successfully authenticate your NPS servers using the NPS server
certificate because they trust the CA that issued the NPS server certificate.
On computers that are running the Windows operating system, certificates that are installed on the
computer are kept in a storage area called the certificate store. The certificate store is accessible
using the Certificates Microsoft Management Console (MMC) snap-in.
This store contains multiple folders, where certificates of different types are stored. For example,
the certificate store contains a Trusted Root Certification Authorities folder where the certificates
from all trusted root CAs are kept.
When your organization deploys a PKI and installs a private trusted root CA using AD CS, the CA
automatically sends its certificate to all domain member computers in the organization. The domain
member client and server computers store the CA certificate in the Trusted Root Certification
Authorities folder in the Current User and the Local Computer certificate stores. After this occurs,
the domain member computers trust certificates that are issued by the trusted root CA.
Similarly, when you autoenroll computer certificates to domain member client computers, the
certificate is kept in the Personal certificate store for the Local Computer. When you autoenroll
certificates to users, the user certificate is kept in the Personal certificate store for the Current User.httpHYPERLINK “http://technet.microsoft.com/en-us/library/cc730811.aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/en-us/library/cc730811.aspx#_blank”.
microsoftHYPERLINK “http://technet.microsoft.com/en-us/library/cc730811.aspx#_blank”. com/enus/library/cc730811HYPERLINK “http://technet.microsoft.com/enus/library/cc730811.aspx#_blank”. aspx
httpHYPERLINK “http://technet.microsoft.com/en-us/library/cc730811.aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/en-us/library/cc730811.aspx#_blank”.
micHYPERLINK “http://technet.microsoft.com/enus/library/cc730811.aspx#_blank”rosoftHYPERLINK “http://technet.microsoft.com/enus/library/cc730811.aspx#_blank”. com/en-us/library/cc730811HYPERLINK
“http://technet.microsoft.com/en-us/library/cc730811.aspx#_blank”. aspx
httpHYPERLINK “http://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx#_blank”.
microsoftHYPERLINK “http://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx#_blank”.
com/en-us/library/cc772401%28v=wsHYPERLINK “http://technet.microsoft.com/enus/library/cc772401(v=ws.10).aspx#_blank”. 10%29HYPERLINK “http://technet.microsoft.com/enus/library/cc772401(v=ws.10).aspx#_blank”. aspx
httpHYPERLINK “http://technet.microsoft.com/en-us/library/ee407543(v=ws.10).aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/en-us/library/ee407543(v=ws.10).aspx#_blank”.
microsoftHYPERLINK “http://technet.microsoft.com/en-us/library/ee407543(v=ws.10).aspx#_blank”.
com/en-us/library/ee407543%28v=wsHYPERLINK “http://technet.microsoft.com/enus/library/ee407543(v=ws.10).aspx#_blank”. 10%29HYPERLINK “http://technet.microsoft.com/enus/library/ee407543(v=ws.10).aspx#_blank”. aspx
Certificates (Local Computer) – Trusted Root Certifcation Authorities
How trust is established
Windows-based computers keep certificates in a certificate store on the local computer. There is a certificate store for the Local Computer, for the Current User, and for individual Services, such as Network Connections, Automatic Updates, and Computer Browser. In each certificate store there is a folder named Trusted Root Certification Authorities that contains certificates from every CA that is trusted, whether they are public or private CAs.
https://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx
The Trusted Root Certifcation Authorities are for adding CAs (Certificate Authorities), which are the certs that issue out certs for other identities. Placing the CA into the Trusted Root Certifcation Authorities is how you configure your computer to trust certs issued by said CA as valid.
In this question, we have been issued a cert for the server itself, and we need to know where to import it for it to be used by the server. Since the cert is for the server itself, we place it in the Local Computer Personal Store; then the server will be able to use said cert to identify itself.