Several years (and employers) ago I completed a project to implement a PKI solution for a client. The design was a two tier design with virtual servers. The Offline Root CA was implemented with no network connection and used an encrypted virtual disk to further support the private key of the root CA. Procedures were provided to renew the Certificate Revocation List (CRL) every year. The project was completed and all was well.
Roll forward a year and I get a call that the client is having issues renewing the CRL. Since trusting an issued certificate, in this case the certificate of the issuing CA, the CRL has to be checked to insure it remains valid. I was invited to a conference call where the issue was being investigated. After joining the call it became obvious that the client’s managed services team was not following the provided procedures. Nor did they seem to have any idea of what “offline” means. They had connected the Offline Root CA to the network and were accessing it using Windows RDP. I was able to quickly resolve the problem, and everything returned to normal. I included the fact that since the Root CA had been exposed to the network for an extended period of time, and there were too many people who could have accessed it during this time, the security of the entire PKI environment was compromised.
One attribute of a secure PKI is non-repudiation. If a certificate exists that claims to be from this PKI, we can prove the claim one way or the other. But if someone makes a copy of the private key of the root CA, then they can forge a certificate that is indistinguishable from a legitimate one. And since the forgery is from the root CA, you have to throw out everything and start over again.
I did not find out what came of all of my warnings, but I did see that the client was involved in a pretty significant security breach several months later. I have no idea if the PKI environment was involved in the breach, but the way they managed their PKI, I would guess that other important processes related to security may not be handled correctly. And all it takes is one opening for someone to get their foot in the door.