The tasks can be summarized in four steps assuming you followed the steps in your key signing ceremony to retrieve the CA.

  1. Issue a new Certificate Revocation List (CRL) and publish it to the configured Offline Certification Authority distribution points.

  2. Apply major release updates to the offline Certification Authority – such as service packs – take into consideration that you don’t need to apply any security updates because the Offline Certification Authority should never be  connected to the network.

  3. Take a new CA backup and save it to a location outlined in your key signing ceremony.

  4. Power off the Offline Certification Authority  and follow the steps in the key signing ceremony to secure the CA.

The steps above assume you followed the security best practices when building an offline CA.