If a private key has been stolen, what is the recommended course of action?

When a private key has been stolen, the recommended course of action is to add the digital certificate associated with that private key to the Certificate Revocation List (CRL). This is essential because the CRL serves as a mechanism to inform users and systems that the certificate is no longer valid and should not be trusted.

By placing the digital certificate on the CRL, it prevents any further use of the stolen private key, thus mitigating the risk of unauthorized access or data breaches that could occur if the key were to be used maliciously. This step helps to maintain the overall security of the public key infrastructure (PKI) by ensuring that any entity relying on that certificate can clearly see it has been revoked and should not be considered valid.

While placing a private key in escrow, deleting the public key, or recovering the private key from escrow may involve other considerations, they do not directly address the immediate need to protect the integrity of the system and its data from the consequences of a compromised private key. Thus, adding the digital certificate to the CRL is the most effective action in this scenario.