Question

You manage Certificate Services for the widgets.com domain. You have installed a single CA named CA1 as an offline standalone root CA. You install a second CA in your hierarchy. You want to configure certificate templates so that the CA can automatically back up the private keys for every certificate it issues.How should you configure the certificate template?a. For each user and computer certificate template, edit the request handling settings andallow archival of the private key.b. For each user and computer certificate template, edit the security settings to add arecovery agent and to grant Read and Write permissions.c. For each user and computer certificate template, edit the issuance requirements andrequire certificate manager approval.d. For each user and computer certificate template, edit the request handling settings andallow the private key to be exported.

Answer 1

b. For each user and computer certificate template, edit the security settings to add a recovery agent and to grant Read and Write permissions

Step-by-step explanation:

We may set a different account to be the DRA, we simply need to build a certificate for it from EFS Recovery Agent.

Which implies both the user who encrypted the file, and the DRA account, would be able to decrypt it.

It's important, as you can imagine, that the private key for the DRA is safe. It's implied that if not in service it can be safely placed offline.