Why are Root CAs often offline?
Root Certificate Authority Often a Standalone Server?
1. Ultimate Trust Anchor
- The Root CA is the trust anchor of the entire PKI hierarchy.
- If compromised, all subordinate certificates become untrustworthy.
2. Minimizing Attack Surface
- The Root CA is typically offline (air-gapped) to reduce exposure to attacks.
- Being disconnected from networks prevents remote compromise.
3. One-Time or Rare Use
- The Root CA is only used to sign intermediate CA certificates or revoke them.
- It does not issue certificates to end-users or servers directly.
4. Manual and Audited Operations
- All use of the Root CA is manual and tightly controlled.
- Requests are physically transported (e.g., via USB) for signing operations.
5. Chain of Trust Delegation
- Intermediate (child) CAs are online and handle day-to-day certificate issuance.
- This setup keeps the root CA secure while allowing functional flexibility.
Summary Table
| Component | Connected? | Purpose | Security Model |
|---|---|---|---|
| Root CA | No | Sign intermediate CA certificates | Offline, air-gapped, maximum security |
| Intermediate CA | Yes | Issue certificates to end-users and systems | Online, hardened, operationally active |
PKI Trust Hierarchy
Root CA (Offline)
↓
Intermediate CA (Online)
↓
End-Entity Certificates (Servers, Clients)
Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.
Anuj Varma – who has written 1260 posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.
Leave a Reply