Updated on 2025-08-25 GMT+08:00

Private Root CAs Are Disabled

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

pca-certificate-authority-root-disable

Identifier

Private Root CAs Are Disabled

Description

If private root CAs are enabled, this rule is non-compliant.

Tag

pca

Trigger Type

Configuration change

Filter Type

pca.ca

Rule Parameters

None

Application Scenarios

Disabling root CAs and designing a proper private CA hierarchy has the following benefits:

  • Core of the trust chain: The private key of a root CA is the foundation of the entire trust chain. If the private key is disclosed, attackers can issue any certificate, causing the entire trust system to collapse.
  • Less key disclosure possibility: Disabling root CAs and using them only to issue sub-CAs minimizes the use frequency of root CA private keys and reduces the risk of disclosure.
  • Risk isolation: Sub-CAs can be divided by department, service, or environment (such as development, testing, and production). If the private key of a sub-CA is disclosed, other sub-CAs or the root CA are not affected. If a sub-CA's private key is exposed, the sub-CA and its issued certificates can be quickly revoked without impacting the root CA or other sub-CAs.
  • Fine-grained permission control: You can set different issuance policies and permissions for sub-CAs to meet different service requirements.

Solution

Disable the root CA. For details, see Disabling a Private CA.

Rule Logic

  • If a private CA is a root CA and enabled, this private CA is non-compliant.
  • If a private CA is a root CA and is disabled, this private CA is compliant.
  • If a private CA is not a root CA, this private CA is compliant.