Generically, consider your CA to be a valuable server, and treat it like you would treat any other valuable server, such as one protecting HR data, financial information and so on. That means keeping it physically protected, too. Also consider your own software and network protections; intrusion-detection systems, a separate firewall for it and so on. Even better is to keep your CA server off of your normal network and only use "sneakernet" to get to it, but that often doesn't mix well with the whole reason for having a CA server, namely that it is a server. CAs are special in that you can buy special purpose hardware to speed them up and secure their most sensitive components, too. SANS and CSI have courses and publications about protecting systems. Look over their Web sites. However, hardly any system is generic. The specifics of how you protect your system depend on what you are doing with it.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Public and private keys/PKI
News & Analysis: CA edges into enterprise PKI
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.