The tasks can be summarized in four steps assuming you followed the steps in your
key signing ceremony to retrieve the CA.
Issue a new Certificate Revocation List (CRL) and publish it to the configured Offline Certification Authority distribution points.
Apply major release updates to the offline Certification Authority – such as service packs – take into consideration that you don’t need to apply any security updates because the
Offline Certification Authority should
never be connected to the network.
Take a new CA backup
and save it to a location outlined in your key signing ceremony.
Power off the Offline Certification Authority and follow the steps in the key signing ceremony to secure the CA.
The steps above assume you followed the
security best practices when building an offline CA.