Define Security Requirements for Certification Authorities

  • Article

You should define the security requirements to be provided for CAs. The security requirements for CAs can include the following:

  • Using a hardware-based CSP for root CAs

  • Maintaining root CAs in locked vaults

  • Operating root CAs and sometimes intermediate CAs offline

  • Keeping intermediate CAs and issuing CAs in secure data centers

  • Longer keys for root certification authorities and high-level intermediate certification authorities

You can have an offline intermediate CA if you want to delegate authority from a parent company to a large number of separate organizations. You can then provide a subordinate CA for the subsidiary companies to keep offline.

Deciding on the security required for a CA involves determining a balance between the costs of implementing and maintaining security, and the risks of attack on the CA and the costs of a CA compromise. Higher risks of attacks on the CA and higher costs of a CA compromise justify higher costs for security measures to protect the CA. You should generally provide the most protection for root CAs, as well as provide more protection for intermediate CAs than for issuing CAs.

Protection for the root CA does not have to be expensive, especially for small companies. It might be adequate to have an offline root CA in a secure computer cabinet or to use removable media stored in a vault. The root CA computer should not have a network adapter.