Back to Blog
PKIMay 9, 202616 min read

Building an Offline Root CA: The Complete Enterprise Procedure

IP
InsecurePlanet Research
PKI & ADCS Security
Executive Summary

The offline Root CA is the foundation of enterprise PKI trust. Its security determines the security of every certificate in your hierarchy. This guide covers the complete procedure for building, configuring, and securing an offline Root CA — from hardware selection through key ceremony, CRL publication, and long-term storage.

Why the Root CA Must Be Offline

The Root CA's private key is the ultimate trust anchor for your entire PKI hierarchy. If it is compromised, every certificate in your hierarchy must be considered untrusted and the entire PKI must be rebuilt. Keeping the Root CA offline — disconnected from all networks — eliminates the attack surface for remote compromise.

An offline Root CA is only brought online to sign Issuing CA certificates (typically once every 5–10 years) and to publish CRLs (typically once every 6 months). All other certificate issuance is handled by online Issuing CAs.

Hardware and OS Selection

The Root CA should run on dedicated hardware — not a VM. A VM's disk image can be copied, potentially exposing the private key. Use a physical server or workstation with a TPM 2.0 chip for key storage, or a Hardware Security Module (HSM) for the highest security requirements.

Install Windows Server Core (no GUI) to minimize the attack surface. Apply all patches before the key ceremony. Disable all unnecessary services and network interfaces.

  • Physical hardware with TPM 2.0 (minimum) or HSM (recommended for high-assurance PKI).
  • Windows Server 2022 Core — minimal footprint, no GUI attack surface.
  • No network interfaces enabled after initial setup — use USB media for CRL publication and CA certificate distribution.
  • Encrypted storage for the CA database and private key backup.

Key Ceremony Procedure

The key ceremony is the formal process of generating the Root CA private key and self-signed certificate. It should be witnessed, documented, and conducted in a physically secure location. At minimum, two authorized personnel should be present.

  • Document the ceremony: record hardware serial numbers, software versions, and all configuration parameters.
  • Generate the key pair on the CA hardware — never import a key generated elsewhere.
  • Use RSA 4096-bit or ECDSA P-384 for the Root CA key.
  • Set a long Root CA certificate validity period: 20–25 years.
  • Immediately create an encrypted backup of the CA database and private key to offline media.
Why It Matters

The Root CA is the single point of failure for your entire PKI. A poorly built Root CA — running on a VM, with a weak key, or without proper backup procedures — undermines every security control that depends on certificate trust. Build it right once.

Recommended Actions
  1. 1Use physical hardware with TPM or HSM for Root CA key storage.
  2. 2Conduct a formal key ceremony with at least two authorized witnesses.
  3. 3Store Root CA backup media in a physically secure, geographically separate location.
  4. 4Publish Root CA CRLs to a publicly accessible HTTP endpoint with 6-month validity.
  5. 5Document the complete Root CA build procedure and store it with the offline media.
InsecurePlanet Take

We have seen Root CAs running on shared VMs, with keys stored on network shares, and with no backup procedure. These are not edge cases — they are common. The offline Root CA procedure is not complicated, but it requires deliberate effort. The InsecurePlanet ADCS Security Checklist includes a complete Root CA build checklist.

PKIRoot CAOffline CAHardening
Sources & References

InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.

Security Brief

Get articles like this weekly

PKI advisories, ADCS updates, CISA KEV coverage, and Patch Tuesday analysis — every week.

Subscribe free
Free Resource

ADCS Security Checklist

24-page checklist covering ESC1–ESC13, CA hardening, CDP/OCSP, and enrollment endpoint security.

Download free
Advisory Services

Enterprise PKI advisory and ADCS assessment services are in preparation. Subscribe for updates when engagements open.

Service Updates Coming Soon