See Certificate Services Concepts and the resources listed in Resources: Public Key Infrastructure for information that will assist you with planning a PKI.
The root certification authority (CA) should be offline and its signing key should be secured by hardware and kept in a vault to minimize potential for key compromise.
For more information, see Checklist: Creating a certification hierarchy with an offline root certification authority
Only change security permissions for the certification authority (CA) using the Certification Authority snap-in. Setting permissions using other mechanisms (such as the Active Directory Sites and Services snap-in) may create problems when for users attempting to access and request certificates from the certification authority.
For more information, see Set security permissions and delegate control of a certification authority
For more information, see
For more information, see Backing up and restoring a certification authority
For general information about access control and security permissions in Windows 2000, see Access Control. For the procedure to set access control on a CA, see Set security permissions and delegate control of a certification authority. For the procedure to set enterprise-wide access control on certificate templates, see Set security permissions and delegate control of certificate templates.