How do I actually air gap my CA computer?
All Windows updates are available as downloads that you can apply locally, similarly for Linux. Enterprise management tools can also be used to provide networked updates without needing to connect the CA machine to the Internet. You could temporarily connect to the local network with a Windows firewall rule that only allows a connection to the address of the management server.
Intermediate Certificates act like the root cert but have a more limited scope. So you can create a set of intermediate certs for specific signing purposes and with short expiry dates to limit the impact of them being compromised. Yes, you still need to keep the intermediate certs secure but the impact of compromise is a lot less if done correctly.
If you need to create a new Intermediate certificate, you do so on the CA machine with clean USB stick or similar.
Clearly, you will understand that you must keep the CA machine physically secured. It should be in a secured cabinet in a secured room. Access to the machine must be tightly controlled and all access carefully recorded.
UPDATE: Someone else mentioned using a hardware encryption module (HSM). Certainly this would also improve security on the CA machine making it much harder to compromise the keys and is highly recommended. I should have included that before.
If you are really, really, really serious about this, then:
- You don't. In the very unlikely event that you feel the need for an update, you do a fresh re-install from a burned CD/DVD.
- Any data must be transferred manually. You can read from one screen and type on another computer, you might consider QR-Codes that you can print and scan. As there's not that much data that needs to be moved around, this can be done.