NSA “Defending Against Compromised Certificates”
This PDF is a great 2 page synopsis from the National Security Agency about how to defend against compromised digital certificates.
A digital certificate is a signed, trusted document issued to a company or individual by a trusted certificate authority (CA). Digital certificates are commonly used by web servers to demonstrate their authenticity to web browsers.
Trustworthiness in a digital certificate depends on both the confidentiality of the private key for the particular certificate, as well as confidence that the CA who issued the certificate would issue it to only authentic parties. When that trust is broken, it becomes necessary to revoke trust in a certificate or in a certificate authority.
This guidance provides IT personnel with actionable information to defend against compromised CA and web site certificates, which could permit a malicious web server to impersonate the genuine one. Each operating system (OS) and browser may use different mechanisms to check and revoke trust in a certificate. Some use a Certificate Revocation List (CRL), while others use the Online Certificate Status Protocol (OCSP).
Still others rely entirely on the issuance of software updates, whose prompt application remains fundamentally important. Variety also exists in how browsers handle certificate validation. Some query the OS certificate store, while others use their own certificate store and thus must be configured separately. Finally, note that some sites may become inaccessible when enforcing strict revocation checking.