BounCA manages private CA operations through web UI and must protect CA key material.\n\n## CA Key Protection\n\n- Keep root/intermediate private keys offline or tightly controlled.\n- Enforce strict filesystem permissions on key storage.\n- Use passphrase-protected keys and secure backups.\n\n## Web Admin Security\n\n- Restrict web access to dedicated admin networks.\n- Enforce strong auth and MFA via reverse proxy where possible.\n- Audit certificate issuance and revocation actions.