Correct Answer: B
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc962065.aspx
Certification Authority Trus
Certification Authority Hierarchies
The Windows 2000 public key infrastructure supports a hierarchical CA trust model, called the certification hierarchy, to provide scalability, ease of administration, and compatibility with a growing number of commercial third-party CA services and public key-aware products. In its simplest form, a certification hierarchy consists of a single CA. However, the hierarchy usually contains multiple CAs that have clearly defined parent-child relationships. Figure 16.5 shows some possible CA hierarchies.
Figure 16.5 Certification Hierarchies
You can deploy multiple CA hierarchies to meet your needs. The CA at the top of the hierarchy is called a root CA. Root CAs are self-certified by using a self-signed CA certificate. Root CAs are the most trusted CAs in the organization and it is recommended that they have the highest security of all. There is no requirement that all CAs in an enterprise share a common top-level CA parent or root. Although trust for CAs depends on each domain’s CA trust policy, each CA in the hierarchy can be in a different domain.
Child CAs are called subordinate CAs. Subordinate CAs are certified by the parent CAs. A parent CA certifies the subordinate CA by issuing and signing the subordinate CA certificate. A subordinate CA can be either an intermediate or an issuing CA. An intermediate CA issues certificates only to subordinate CAs. An issuing CA issues certificates to users, computers, or services.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/605dbf9d-2694-4783-8002- c08b9c7d4149
Forum FAQ: How to import certificate into Intermediate Certification Authorities store?
Question:
How to import certificate into Intermediate Certification Authorities store?
In Windows Server 2008 or Windows Server 2008 R2 domain, we can import intermediate CA certificates using group policy:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key PoliciesIntermediate Certification AUthorities
The policy is not available in Windows Server 2003. For Windows 2003 domain, you can write a script that uses the following command to push out the intermediate CA certificate via group policy. The server will have to be rebooted for this to take effect.
Certutil -f -addstore CA <intermediate CA name>.crt
Note: CA is the programmatic name of the Intermediate Certification Authorities store.