Which certificate or certificates should you identify?

Your network contains an Active Directory domain named contoso.com.
Your company has an enterprise root certification authority (CA) named CA1.
You plan to deploy Active Directory Federation Services (AD FS) to a server named Serverl.
The company purchases a Microsoft Office 365 subscription.
You plan register the company’s SMTP domain for Office 365 and to configure single sign-on for all users

You need to identify which certificate or certificates are required for the planned deployment.
Which certificate or certificates should you identify?

A.
a server authentication certificate that is issued by a trusted third-party and that contains the subject name serverl.contoso.com

B.
a server authentication certificate that is issued by CA1 and that contains the subject name Server1

C.
a server authentication certificate that is issued by a trusted third-party root CA and that contains the subject name Server1

D.
a server authentication certificate that is issued by CA1 and that contains the subject name serverl.contoso.com

E.
self-signed server authentication certificates for serverl.contoso.com

Explanation:
Correct – A – AD FS requires an SSL certificate (which is also known as a Server Authentication Certificate) that is issued by a third party, and whose UPN is
internet-routable.
Not B or C or D – A is required for AD FS… the rest are not required as they are either privately issued, or have a short/private UPN.
Not E – E refers to server authentication certificates, the requirements asks for a token-signing certificate. Token signing certificates are generated automatically and
Microsoft recommends that we use the default certificate as it has the benefit of updating itself when it expires etc.
https://gyazo.com/48a6ff83688b3c355578d5dea565acbd
https://support.office.com/en-sg/article/Plan-for-third-party-SSL-certificates-for-Office-365-b48cdf63-07e0-4cda-8c12-4871590f59ce