Recommendations:
Use different key pairs to sign and encrypt messages to mitigate information disclosure and tampering attacks.
Do not use the public same key in different certificates due to possible substitution (spoofing) attacks.
Use secure protocols for dissemination of certificate and revocation information such as LDAP repositories.
Update keys and corresponding certificates every three quarters.
Provide reliable storage for expired keys that can be used later to retrieve and recover encrypted data.
Consider using the OpenStack Anchor - an ephemeral PKI certification system that uses automated issuing rules and short life certificates to mitigate common certificate security issues.