Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. The system properties of Server1 are shown in the exhibit. (Click the Exhibit button.)
You need to configure Server1 as an enterprise subordinate certification authority (CA).
What should you do first?
A. Add RAM to the server.
B. Set the Startup Type of the Certificate Propagation service to Automatic.
C. Install the Certification Authority Web Enrollment role service.
D. Join Server1 to the contoso.com domain.
Correct Answer: D
Explanation/Reference:
Explanation: Enterprise CAs must be domain members. From the exhibit we see that it is only a Workgroup member.
Note: A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI. Enterprise subordinate certification authority
An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue certificates to all users and computers in the enterprise. These types of CAs are often used for load balancing of an enterprise root CA.
Enterprise CAs can be used to issue certificates to support such services as digital signatures, Se- cure Multipurpose Internet Mail Extensions (S/MIME) secure mail, Secure Sockets Layer (SSL) or Transport Layer Security (TLS) secured web access and smart card authentication. Enterprise CAsare used to provide certificate services to internal users who have user accounts in the do- main. Requiring Active Directory, an Enterprise subordinate CA obtains its certificate from an already existing CA. These types of CAs are used to provide smart-card-enabled logons by Windows XP and other Windows Server 2003 machines.
After a root certification authority (CA) has been installed, many organizations will install one or more subordinate CAs to implement policy restrictions on the public key infrastructure (PKI) and to issue certificates to end clients. Using at least one subordinate CA can help protect the root CA from unnecessary exposure. If a subordinate CA will be used to issue certificates to users or computers with accounts in an Active Directory domain, installing the subordinate CA as an enterprise CA allows you to use the client's existing account data in Active Directory Do- main Services (AD DS) to issue and manage certificates and to publish certificates to AD DS. Membership in local Administrators, or equivalent, is the minimum required to complete this procedure. If this will be an enterprise CA, membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
No comments:
Post a Comment