Home » Microsoft » 70-640 » What should you do?
You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued.
The CA is configured to use two recovery agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.
What should you do?
A. Add a data recovery agent to the Default Domain Policy.
B. Modify the value in the Number of recovery agents to use box.
C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.
D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.
Correct Answer: B
Explanation/Reference:
Reference:
MS Press – Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009)
page 357
You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery.
