Securing Windows Server 2016 — Question 96

Your network contains an Active Directory domain named contoso.com. The domain contains a certification authority (CA).
You need to implement code integrity policies and sign them by using certificates issued by the CA.
You plan to use the same certificate to sign policies on multiple computers.
You duplicate the Code Signing certificate template and name the new template CodeIntegrity.
How should you configure the CodeIntegrity template?

Answer options

• A. Enable the Allow private key to be exported setting and modify the Key Usage extension.
• B. Disable the Allow private key to be exported setting and modify the Application Policies extension.
• C. Disable the Allow private key to be exported setting and disable the Basic Constraints extension.
• D. Enable the Allow private key to be exported setting and enable the Basic Constraints extension

Correct answer: D

Explanation

The correct answer is D because enabling the 'Allow private key to be exported' setting is necessary for using the certificate across multiple computers. Additionally, enabling the Basic Constraints extension is important for defining the certificate's role in a public key infrastructure. The other options incorrectly suggest disabling key export or not configuring the Basic Constraints extension, which would limit the certificate's usability.