Once I though that CA where serious business, with the biggest of them hosted in bunkers with complete security for the keys.
Happy to hear it since I had the same idealistic vision and in the past was doubtfull of our company solution that uses a non networked machine to sign certs that is in a protected aread but not a bunker or faraday change. Only was to import/export data (requested and certs) is via DLT tape. Afterall it doesn't seem such a lousy solution
All power corrupts, but we need electricity.