A is the only right. Issuing a digital certificate can be done also by an internal custom CA with no validity to the outside word.

I would argue here, it could be A) as well. I as user or scripts are able to "issue" or "revoke" certificates, but only CA can grant authenticity...

In a PKI (Public Key Infrastructure), the purpose of a CA (Certificate Authority) is to issue, manage, and revoke digital certificates. The CA plays a central role in establishing trust and enabling secure communication within the PKI ecosystem. Here are the key purposes of a CA:

I agree. A is the most ligical for a CA in PKI setup.

I'm with Tthurston1 on this one, so C. I might be wrong, but, at the end of the day, the CA is there to confirm that only the subject can decrypt the message encrypted with its public key and that a message that can be decrypted with the public key was definitely encrypted by the subject via private. In my view C is the scope, A&B are processes done in order to achieve the goal.

CA doesn't directly validate any certificate. If you want to check if a certificate is valide, you just check if it's signed by CA( or above) and if it is still valid! So, A can not be correct! I go for B.

In the grand scheme of things, Options A-C are ALL VALID functions of a CA in a PKI infrastructure. But of course, you can only choose one answer..... I would opt for Option C because it emphasizes the critical aspect of verifying ownership of the PUBLIC key by the named subject.

They are asking for CA not RootCA certificate, might be B, make more sense to me.