easy-rsa is CLI PKI tooling; risk centers on CA key handling and issuance workflow discipline.\n\n## PKI Workflow Hardening\n\n- Keep CA private key on hardened host, ideally offline for root CA.\n- Separate root and intermediate CA duties.\n- Control who can sign/revoke certificates.\n\n## Secret Management\n\n- Use encrypted key backups with tested recovery.\n- Avoid storing passphrases in shell history/scripts.\n- Rotate compromised or expired material immediately.