Best Practices
Increase the security of root CA computers. You can do this by deploying offline CAs and, if possible, by deploying offline policy CAs, depending on your company’s security policy.
Implement a hardware security module. You should do this only if your company’s security policy requires strong protection of CA key pairs.
Ensure that CRLs and CA certificates are published to accessible locations. The certificate-chaining engine must have access to all CRLs and CA certificates in the certificate chain to validate a presented certificate. If any certificate or CRL is unavailable, its status cannot be determined.
Enable CRL checking in all applications. CRL checking ensures that a presented certificate passes validation tests for approval. ...
Get Microsoft® Windows® Security Resource Kit, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
