Offline Certification Authorities are divided into two types depending on the PKI hierarchy tier you are building. In a 3 tier PKI hierarchy you should have at least 2 Offline CAs , defined as an offline
root CA and an offline policy CA. In a 2 tier hierarchy, you will only have a single offline CA, which is the offline root CA. The security practices discussed in this article apply to all offline CAs.
Offline CA Maintenance Tasks
Offline Root Certification Authority