Key Management is the one of the major issues that affect the security. The most successful attacks are related to encryption bypass rather than breaking through it. If an individual can get into your server and steal the private key, or they have any other way to force you to reveal the key, why would he mess around with cryptography?
Private keys must be protected from the leakage
Treat your private keys as valuable asset and protect them from an unauthorized access. Some CAs generate private keys for you. Private keys must be stored in a safe place. There are no exceptions for this rule.
Key generator should include a random number
Security of the private key depends on the quality of the random number generator, which is used on the user’s computer. Keys are often created on the server immediately after the installation and rebooting, however sometimes server may not generate uncrackable, complex key. It would be better to generate all the keys in one place, preferably offline, where you can use a certified random number generator.
The keys must be password protected
Your key must have a password protection since creation. This helps reduce the number of attacks, if your backup system is compromised. Password also helps prevent the leakage of the key when copying keys from one computer to another.
Do not share key among non-trusted servers
Sharing of keys is a vulnerable procedure; in case if one of the systems is compromised, affected key can be used to attack other systems that use the same key, even if they use different certificates. Different keys will help you create a powerful access control system, giving access to the keys only to those who authorized.
Change keys more frequently
It would be wise to ensure that the same keys are not used for a long time. You must change private keys in case when any security incidents occurred, when an authorized key user leaves your team, as well as in case of the issuance of a new certificate. By safely removing the key, you’ll make sure that it will be not used against you. As a rule, the keys should change every year.
Store your keys in a safe place
Keep a copy of the private keys in a safe place. Loosing of a server key is not a big issue, because you can generate a new key, however it is a completely different story with the keys used by intermediate and private CAs, as well as keys used for pinning.
Special units called HSM (Hardware Storage Modules) are used for generation and storage of the private keys. If you use this module, private keys never leave the HSM.