In some CSU designs, encrypted backup copies of the CA's private key
are kept. A CA which loses its key can then restore it by loading the
encrypted backup into the CSU, which can decrypt it using some unique
information stored inside the CSU; the encrypted backup can only be
decrypted using the CSU. If the CSU itself is destroyed, the
manufacturer may be able to supply another with the same internal
information, thus allowing recovery of the key.
A compromised CA key is a much more dangerous situation. An attacker who discovers a certifying authority's private key can issue phony certificates in the name of the certifying authority, which would enable undetectable forgeries; for this reason, all precautions must be taken to prevent compromise, including those outlined in Questions 3.3.8 and 3.3.9. If a compromise does occur, the CA must immediately cease issuing certificates under its old key and change to a new key. If it is suspected that some phony certificates were issued, all certificates should be recalled, and then reissued with a new CA key. These measures could be relaxed somewhat if certificates were registered with a digital time-stamping service (see Question 3.3.18). Note that compromise of a CA key does not invalidate users' eys, but only the certificates that authenticate them. Compromise of a top-level CA's key should be considered catastrophic, since the key may be built into applications that verify certificates.