Use different key pairs to sign and encrypt messages to mitigate
information disclosure and tampering attacks.
Do not use the public same key in different certificates due to
possible substitution (spoofing) attacks.
Use secure protocols for dissemination of certificate and revocation
information such as LDAP repositories.
Update keys and corresponding certificates every three quarters.
Provide reliable storage for expired keys that can be used later to
retrieve and recover encrypted data.
Consider using the OpenStack Anchor - an ephemeral PKI certification
system that uses automated issuing rules and short life certificates to
mitigate common certificate security issues.