Hi
We are looking at creating our own internal PKI for certificate generation. A client machine will request the certificate and the CA will generate this per user.
Some questions:
i. When the certificate is generated per user, is the private key involved at all? Or just the username + public key and then the certificate is digitally signed by the CA.
ii. What are the recommendations for protecting the private key of the CA? Is this one key that will always remain static? Some sort of HSM device?
iii. What are the recommendations for protecting the root CA itself?