Certificate Management and Security
I think it's quite obvious that a computer that is used to sign certificates and keys granting or restricting access to a company's network will deserve special focus for everybody interested in accessing this network. My recommendation for a certificate server is to disconnect it from the network. Transfer keys and certificates with USB sticks or other non-network-media.
This advice has been published before very often because it is simply reasonable and true.
However, anybody who really does separate a certificate server computer from the local net and does not control the network of a secret service like a bank or similar infrastructure may send me an email. Most people simply wouldn't. In reality, certificate servers are merely programs running as a background job or as an application run by a non-privileged user. They say there are even Windows machines out there that do certificate management!
Nevertheless, there are some really cool and very reliable...
