Increase the security of root CA computers You can do this by deploying off-line CAs and, if possible, by deploying off-line policy CAs, depending on your company's security policy.

Implement a hardware security module You should do this only if your company's security policy or organizations that you want to exchange certificates with require strong protection of CA key pairs.

Ensure that CRLs and CA certificates are published to accessible locations The certificate-chaining engine must have access to all CRLs and CA certificates in the certificate chain to validate a presented certificate. If any certificate or CRL is unavailable, ...