Offline Certification Authorities are divided into two types depending on the PKI hierarchy tier you are building. In a 3 tier PKI hierarchy you should have at least 2 Offline CAs , defined as an offline root CA and an offline policy CA. In a 2 tier hierarchy, you will only have a single offline CA, which is the offline root CA. The security practices discussed in this article apply to all offline CAs.

Private Key Protection

  1. It is recommended to use a Hardware Security Module (HSM) to protect the Private Key of the CA.  HSMs can either be network attached through a private network to the CA, commonly used in virtualized offline CAs, or can be directly attached to the CA.
  2. Never connect a CA to the network to reduce any attack footprint on the CA’s operating system (OS) or private key
  3. Establish a chain of custody and key signing ceremony whether you are using an HSM or not

Physical and Logical Access to the Offline CAs

  1. Access to the CAs should be limited only to the CA Administrator of the PKI hierarchy
  2. It is recommended to disable remote access technologies to the CAs such as Remote Desktop Protocol (RDP)
  3. Offline CAs should be stored in a secure location with an established chain of custody to retrieve the CA
  4. Disable CD-ROM auto play, and USB ports either in the BIOS or in the virtual machine settings
  5. Keep the CA offline unless you are performing maintenance tasks such as issuing a new CRL, or issuing a new certificate for a subordinate CAli>


  1. CA retrieval should be documented and audited, generally referred to, as a chain of custody, or key signing ceremony
  2. The CAs should logically be enabled for auditing, which should be done in two locations:
    • The Auditing tab on the CA properties , where all settings should be enabled and then restarting the Certification Authority services after making the change
    • Object Access Auditing at the operating system has to be enabled.

Related Articles

Offline CA Maintenance Tasks
Offline Root Certification Authority