The root CA should never be connected to the network or to the
domain and no fingerprint of the server should ever be recorded
since the root key compromise will impact the
entire PKI hierarchy.
Root CAs should always stay offline and shut down except when
signing the Issuing CA certificates and during root CRL
publish.
Access to the Root CA to sign the Issuing CA
request should be initiated in an agreed and controlled
workflow so as to not compromise the Root CA in any means.
Once the Issuing CA certificate has been issued and Root CRL published the Root CA
should be turned off.
Ensure to publish a reasonably short-lived Root CA CRL, the
recommendations from NIST is to have the Root CA CRL published for
1 year and ensure to renew the CRL before expiry.
We strongly recommend that all your CA keys be stored securely in a FIPS 140-2
Hardware Security Module (HSM).
Protect the server during boot using Bitlocker or any other encryption system of
choice and ensure to backup CA private key, CA registry Key, the CA database, and
the CA certificate.
Ensure to enable an audit event to track all actions performed on the Root CA.