Microsoft Windows Security Resource Kit

Best Practices

• Increase the security of root CA computers.

  You can do this by deploying offline CAs and, if possible, by deploying offline policy CAs, depending on your company s security policy.

• Implement a hardware storage module.

  You should do this only if your company s security policy requires strong protection of CA key pairs.

• Ensure that CRLs and CA certificates are published to accessible locations.

  The certificate chaining engine must have access to all CRLs and CA certificates in the certificate chain to validate a presented certificate. If any certificate or CRL is unavailable, its status cannot be determined.

• Enable CRL checking in all applications.

  CRL checking ensures that a presented certificate passes validation tests for approval. If the certificate fails any tests, it is considered invalid.

• Apply the latest service packs and hotfixes to CAs.

  This way, you ensure that the CA is protected against known vulnerabilities.