Best Practices
You can do this by deploying offline CAs and, if possible, by deploying offline policy CAs, depending on your company s security policy.
You should do this only if your company s security policy requires strong protection of CA key pairs.
The certificate chaining engine must have access to all CRLs and CA certificates in the certificate chain to validate a presented certificate. If any certificate or CRL is unavailable, its status cannot be determined.
CRL checking ensures that a presented certificate passes validation tests for approval. If the certificate fails any tests, it is considered invalid.
This way, you ensure that the CA is protected against known vulnerabilities.