More CA Requirements

CA systems should, as best as possible, implement the feature of Certificate Revocation Lists (CRLs) for unexpired, revoked certificates that keep them out of day-to-day operations. This function requires tight coupling with RA functions and is needed at the time certificates are shared or requested from the directory service. Many implementations do not support CRLs, but finding one that does will place you ahead of the game and adds security to the overall system. CRL update mechanisms should include an ability to alert the CA to a compromised or suspected compromise of a private key. The process should enable easy revocation and certificate replacement WITHOUT undue efforts. In the absence of this ability, the PKI may become next-to-worthless with the first private key compromise. Remember -- the PKI is based on trusting the security of private keys!

Last, you''ll want to make sure your CA provides sufficient training for all levels of personnel working within the PKI. This will include people who operate the RA functions, system developers, and end-users. You''ll also want help from the CA in developing internal certificate practices statements, operating procedures, key escrow and recovery procedures, and any other documentation to support the PKI projects development life cycle.