You administer an Active Directory Domain Services environment. There are no certification authorities (CAs) in the environment. You plan to implement a two-tier CA hierarchy with an offline root CA. You need to ensure that the issuing CA is not used to create additional subordinate CAs.
What should you do?
A. In the CAPolicy.inf file for the issuing CA, enter the following constraint: PathLength=1
B. In the CAPolicy.inf file for the root CA, enter the following constraint: PathLength=1
C. In the CAPolicy.inf file for the root CA, enter the following constraint: PathLength=2
D. In the CAPolicy.inf file for the issuing CA, enter the following constraint: PathLength=2
Answer: B
Explanation:
You can use the CAPolicy.inf file to define the PathLength constraint in the Basic Constraints extension of the root CA certificate. Setting the PathLength basic constraint allows you to limit the path length of the CA hierarchy by specifying how many tiers of subordinate CAs can exist beneath the root. A PathLength of 1 means there can be at most one tier of CAs beneath the root. These subordinate CAs will have a PathLength basic constraint of 0, which means that they cannot issue any subordinate CA certificates.
Reference: Windows Server 2008 R2 CAPolicy.inf Syntax
http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx