Home » Microsoft » 70-640 » What should you do?
You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.
You need to ensure that you can recover the private key of a certificate issued to a Web server.
What should you do?
A. From the CA, run the Get-PfxCertificate cmdlet.
B. From the Web server, run the Get-PfxCertificate cmdlet.
C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.
D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.
Correct Answer: D
Explanation/Reference:
http://technet.microsoft.com/en-us/library/ee449471%28v=ws.10%29.aspx
Manual Key Archival
Manual key archival can be used in the following common scenarios that are not supported by automatic key archival:
Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft® Office Outlook.
Certificates issued by CAs that do not support key archival.
Certificates installed on the Microsoft Windows® 2000 and Windows Millennium Edition operating systems.
This topic includes procedures for exporting a private key by using the following programs and for importing a private key to a CA database:
Certutil.exe Certificates snap-in
Microsoft Office Outlook
..
To export private keys by using Certutil.exe
1. Open a Command Prompt window.
2. Type the Certutil.exe -exportpfx command using the command-line options described in the following table.
Certutil.exe [-p <Password>] -exportpfx <CertificateId> <OutputFileName>