18.104.22.168 What if a certifying authority's key is lost or compromised?
If the certifying authority's key is lost or destroyed but not compromised, certificates signed with the old key are still valid, as long as the verifier knows to use the old public key to verify the certificate. In some designs for certificate-signing devices, encrypted backup copies of the CA's private key are kept, so a CA that loses its key can then restore it by loading the encrypted backup into the device. If the device itself is destroyed, the manufacturer may be able to supply another one with the same internal information, thus allowing recovery of the key.
A compromised CA key is a much more dangerous situation. An attacker who discovers a certifying authority's private key can issue phony certificates in the name of the certifying authority, which would enable undetectable forgeries. For this reason, all precautions must be taken to prevent compromise, including those outlined in Questions 22.214.171.124 and Question 126.96.36.199.
If a compromise does occur, the CA must immediately cease issuing certificates under its old key and change to a new key. If it is suspected that some phony certificates were issued, all certificates should be recalled and then reissued with the new CA key. These measures could be relaxed somewhat if the certificates were registered with a digital timestamping service (see Question 7.11). Note that compromise of a CA key does not invalidate users' keys, but only the certificates that authenticate them. Compromise of a top-level CA's private key should be considered catastrophic, since the public key may be built into applications that verify certificates.