70-640 Question on Certificates

GbosGbos Posts: 1Registered Users ■□□□□□□□□□
Looking at sitting the exam in the next couple of weeks, came across the following question and apparently the answer is A but I thought it was D and can't get my head around why its A. Can anyone let me know which answer is correct and why

Q. You have a two tier PKI infrastructure that contains an offline root CA and an online issuing CA. The enterprise certification authority is running windows server 2008 R2.
You need to ensure users are able to enroll new certificates.

A. Renew the certificate revocation list (CRL) on the root CA. Copy the CRL to the certenroll folder on the issuing CA.
B. Renew the certificate revocation list (CRL) on the issuing CA. Copy the crl to the systemcertificates folder in the users profile.
C. Import the root CA certificate into the trusted root certification authorities store on all client workstations.
D. Import the issuing CA certificate into the intermediate certification authorities store on all client workstations.

Comments

  • magwitchmagwitch Posts: 9Registered Users ■□□□□□□□□□
    You'd have to have the CRL from the root CA in certenroll on the subordinate for it to work (I think this is one of the installation steps for a subordinate) so I can sort of see why A is the answer but it's a strange question in that the answer has a much broader context than the question.

    E2A: have you tried labbing it?
  • method115method115 Posts: 85Member ■■□□□□□□□□
    magwitch wrote: »
    You'd have to have the CRL from the root CA in certenroll on the subordinate for it to work (I think this is one of the installation steps for a subordinate) so I can sort of see why A is the answer but it's a strange question in that the answer has a much broader context than the question.

    E2A: have you tried labbing it?

    The answer has to be A. I don't think C or D are ever required to start issuing certs.
Sign In or Register to comment.