Off-line Root CA

Off-line Root CA

In a Public Key Infrastructure PKI the top of the trust path is the Certificate authority (CA), because is on the top is called the root CA. The CA is able to issue, distribute and revoke digital certificates X.509. The CA which is software running in a specialized server or hardware in general must be kept safe with the highest possible physical and logical security measures, therefore one of the options is not keeping the CA connected to the network and keep it physically separated, therefore several options exist:

1. Off-line Root CA. This means to disconnect the network cable from the server (where the CA is running), with two options:

a. To keep the server ON, and disconnected from the network.
b. To keep the server OFF disconnected from the network and placed into a vault.

NOTE. In some literature the term "Disconnected Root CA" is used, it is assumed here that it means the same as "Off line Root CA".

There are also some issues related to the CRL signing, since the off-line Root CA can not be "that" active revoking CRLs, therefore:
1. Keep an off-line Root CA and an on-line signing CRL
2. Keep everything off-line