Categories: Business & Tech News

SOLVED: Should You Power Off Your Root Certificate Authority

Most companies create a root certificate authority in their windows network and then treat it like any other server. We mean that they leave it running all the time, patch it monthly and make sure that it is functional properly. However, it was certainly best practice years ago to leave your root CA powered off, only starting it up twice a year to:

  1. patch the operating system
  2. sync a new CRL (Certificate Revocation List)

Today come up one of our newer technicians ask the question, is it still best practice to power off certificate authorities because he had never seen it before.

we thought it was a good question so we asked Microsoft and here is what they told us:

Yes, it is still considered best practice to keep a Windows root Certification Authority (CA) offline most of the time. This practice enhances security by minimizing the risk of the root CA being compromised. The root CA is typically only powered on when necessary, such as for issuing or renewing certificates for subordinate CAs


Published by
Ian Matthews

This website uses cookies.