What should you include in the recommendation?

Your network contains an Active Directory forest named contoso.com.
Your company works with a partner company that has an Active Directory forest named fabrikam.com.
Both forests contain domain controllers that run only Windows Server 2012 R2.
The certification authority (CA) infrastructure of both companies is configured as shown in the following table.
You need to recommend a certificate solution that meets the following requirements:
– Server authentication certificates issued from fabrikam.com must be trusted automatically by the
computers in contoso.com.
– The computers in contoso.com must not trust automatically any other type of certificates issued from the CA hierarchy in fabrikam.com.
What should you include in the recommendation?

Your network contains an Active Directory forest named contoso.com.
Your company works with a partner company that has an Active Directory forest named fabrikam.com.
Both forests contain domain controllers that run only Windows Server 2012 R2.
The certification authority (CA) infrastructure of both companies is configured as shown in the following table.
You need to recommend a certificate solution that meets the following requirements:
– Server authentication certificates issued from fabrikam.com must be trusted automatically by the
computers in contoso.com.
– The computers in contoso.com must not trust automatically any other type of certificates issued from the CA hierarchy in fabrikam.com.
What should you include in the recommendation?

A.
Deploy a Group Policy object (GPO) that defines intermediate CAs.
Import a certificate that has an application policy object identifier (OID) of CA Encryption Certificate.

B.
Deploy a Group Policy object (GPO) that defines an enterprise trust.
Import a certificate that has an application policy object identifier (OID) of Microsoft Trust List Signing.

C.
Deploy a Group Policy object (GPO) that defines an enterprise trust.
Import a certificate that has an application policy object identifier (OID) of CA Encryption Certificate.

D.
Deploy a Group Policy object (GPO) that defines intermediate CAs.
Import a certificate that has an application policy object identifier (OID) of Microsoft Trust List Signing.

Explanation:
If we need to import a certificate from a partner Enterprise/Forest, but we do not want to automatically trust all of the certificates from their organization’s CA we
simply:
Deploy a Group Policy object (GPO) that defines an enterprise trust.
Import a certificate that has an application policy object identifier (OID) of Microsoft Trust List Signing.
Certificate Trust List (CTL):
This is almost the opposite of a Certificate-Revocation List (CRL).
Instead of making a list of which Certificates we no longer trust, we are adding this certificate to the Certificate (Microsoft) Trust List (CTL) which specifies which
certificates we DO trust.
If we add an external enterprises certificate to our CTL, our Network will ONLY trust that specific certificate and nothing else from the partner enterprise
unless we add more of their certificates to our CTL.

Show Hint

Leave a Reply 1

Your email address will not be published. Required fields are marked *