offline root CA workflow
I have reviewed several discussions here regarding offline root CA management. While useful, none quite capture my question.
Firstly it presumably would not be generally assessed as an 'offline' root if its key is in a network connected HSM, no matter how protected (with a PIN, behind firewall, etc)?
In my setup a physical laptop or desktop, which can be disconnected and off and physically secured is probably not feasible. So I'm thinking of something like a Tails bootable USB. Boot from this on a host and use an encrypted partition of Tails to store the root key and thus issue the root CA from that environment. As the online intermediate signing CA cert has to be issued by the root and be online (with key via an HSM), how do I get that issuing CA certificate request into Tails to create the certificate sufficiently securely? This seems that sneaker-net is essential and the use of USB storage is mandatory.
Does having two HSMs make a good solution? One contains the root CA key, which is powered off except when needed, and another online one for managing the issuing certificate's key?
Publishing a CRL by the root CA is another component of the ecosystem that is tricky.
Another aspect of which I am unsure is if creating, as far as is possible, a known untampered Tails USB instance is possible, is its use on a general use laptop or desktop safe enough? If the USB is read-only I can't store anything on it - such as an issued certificate. If it is read/write then a vector exists to compromise it from the laptop/desktop on which it is used.
I'm seeking opinions on the workflow for using 'offline' root CAs more than the technical steps involved. I realise these design decisions are driven by risk appetite and consequences. Guidance and the lived experience would help. Thank you.
