Building an Offline Root CA: The Complete Enterprise Procedure
The offline Root CA is the foundation of enterprise PKI trust. Its security determines the security of every certificate in your hierarchy. This guide covers the complete procedure for building, configuring, and securing an offline Root CA — from hardware selection through key ceremony, CRL publication, and long-term storage.
Why the Root CA Must Be Offline
The Root CA's private key is the ultimate trust anchor for your entire PKI hierarchy. If it is compromised, every certificate in your hierarchy must be considered untrusted and the entire PKI must be rebuilt. Keeping the Root CA offline — disconnected from all networks — eliminates the attack surface for remote compromise.
An offline Root CA is only brought online to sign Issuing CA certificates (typically once every 5–10 years) and to publish CRLs (typically once every 6 months). All other certificate issuance is handled by online Issuing CAs.
Hardware and OS Selection
The Root CA should run on dedicated hardware — not a VM. A VM's disk image can be copied, potentially exposing the private key. Use a physical server or workstation with a TPM 2.0 chip for key storage, or a Hardware Security Module (HSM) for the highest security requirements.
Install Windows Server Core (no GUI) to minimize the attack surface. Apply all patches before the key ceremony. Disable all unnecessary services and network interfaces.
- Physical hardware with TPM 2.0 (minimum) or HSM (recommended for high-assurance PKI).
- Windows Server 2022 Core — minimal footprint, no GUI attack surface.
- No network interfaces enabled after initial setup — use USB media for CRL publication and CA certificate distribution.
- Encrypted storage for the CA database and private key backup.
Key Ceremony Procedure
The key ceremony is the formal process of generating the Root CA private key and self-signed certificate. It should be witnessed, documented, and conducted in a physically secure location. At minimum, two authorized personnel should be present.
- Document the ceremony: record hardware serial numbers, software versions, and all configuration parameters.
- Generate the key pair on the CA hardware — never import a key generated elsewhere.
- Use RSA 4096-bit or ECDSA P-384 for the Root CA key.
- Set a long Root CA certificate validity period: 20–25 years.
- Immediately create an encrypted backup of the CA database and private key to offline media.
The Root CA is the single point of failure for your entire PKI. A poorly built Root CA — running on a VM, with a weak key, or without proper backup procedures — undermines every security control that depends on certificate trust. Build it right once.
- 1Use physical hardware with TPM or HSM for Root CA key storage.
- 2Conduct a formal key ceremony with at least two authorized witnesses.
- 3Store Root CA backup media in a physically secure, geographically separate location.
- 4Publish Root CA CRLs to a publicly accessible HTTP endpoint with 6-month validity.
- 5Document the complete Root CA build procedure and store it with the offline media.
We have seen Root CAs running on shared VMs, with keys stored on network shares, and with no backup procedure. These are not edge cases — they are common. The offline Root CA procedure is not complicated, but it requires deliberate effort. The InsecurePlanet ADCS Security Checklist includes a complete Root CA build checklist.
InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.
