You are the network administrator for your company. The network consists of a single Active Directory domain. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named Server1. You are planning a public key infrastructure (PKI) for the company.
You want to deploy an enterprise certification authority (CA) on Server1. You create a new global security group named Cert Approvers. You install an enterprise CA and configure the CA to issue Key Recovery Agent certificates. The company’s written security policy states that issuance of a Key Recovery Agent certificate requires approval from a member of the Cert Approvers group.
All other certificates must be issued automatically. You need to ensure that members of the Cert Approvers group can approve pending enrollment requests for a Key Recovery Agent certificate.
What should you do?
A.
Assign the Cert Approvers group the Allow – Issue and Manage Certificates permission for the CA.
B.
Add the Cert Approvers group to the existing Cert Publishers group in the domain.
C.
For all certificate managers, add the Cert Approvers group to the list of managed subjects.
D.
Assign the Cert Approvers group the Allow – Enroll permission for the Key Recovery Agent certificate template.
E.
Assign the Cert Approvers group the Allow – Full Control permission for the Certificate Templates container in the Active Directory configuration naming context.
Explanation:
In order to approve certificates you need certificate manager rights. In order to get those rights you need Issue and Manage Certificates rights.
The option to enable auto enroll or wait for approval is made at the certificate template (in this case, the key recovery template).Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructur* Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 887