Ensure to discover a compromise as quickly as possible by implementing tracking
and detection mechanisms and performing regular manual operational sanity
checks.
Establish well-defined communications plans for informing subjects, relying
parties, and other stakeholders with sufficient details about the type of
compromise so these parties can implement the appropriate remedial actions.
If a CA system or signing key compromise occurs, the organization should perform
the following steps:
Ensure that certificates issued to the organization’s systems or users
from the compromised CA are revoked.
Notify all owners of the affected certificates about the CA compromise
and establish a point of contact for responding to questions and
providing guidance and instructions.
Replace all certificates from the compromised CA with new certificates
from a different CA effective immediately.
Ensure that all relying parties have the certificate trust chains
required to validate certificates from the new CA.
Ensure that revocation checking is enabled on all relying party
systems.
If the compromised CA is a root CA, the root certificate must be removed
from all trust stores and relying on party systems.
Compromised Certificate Handling
Ensure to respond in a timely manner in case of a CA or end-entity certificate
compromise and have a plan or workflow to replace all affected certificates or
the trust chain.
In the event of a key or certificate compromise, a fresh key pair should be
generated on a secured system. The compromised item should be revoked and taken
out of the service as soon as the systems are secured.
If you are not sure of your private key possession, report it to your CA and
suspend the key immediately. Once you find the key is secure, reinstate the
certificate.