The tasks can be summarized in four steps assuming you followed the steps in your
key signing ceremony to retrieve the CA.
Issue a new Certificate Revocation List (CRL) and publish it to the configured Offline Certification Authority distribution points.
Apply major release updates to the offline Certification Authority – such as service packs – take into consideration that you don’t need to apply any security updates because the
Offline Certification Authority should
never be connected to the network.
Take a new CA backup
and save it to a location outlined in your key signing ceremony.
Power off the Offline Certification Authority and follow the steps in the key signing ceremony to secure the CA.
The steps above assume you followed the
security best practices when building an offline CA.
> you don’t need to apply any security updates because the Offline Certification Authority should never be connected to the network
Considering that Stuxnet and Flame were likely delivered by USB, CD, or other media I'm sure that this advice is invalid. I would suggest purchasing a new USB stick / Floppy, using it once for the reKey / backup and destroy it afterward. Once that media *touches* less secure devices it should be considered tainted.
Major release updates are service packs which MUST be installed to maintain operating system support