How to setup a secure SSL certificate authority machine

[sabatorg () gmail com]

I am working for a company that has several internal CA's which are used to sign internal certificates. We use a laptop 
which has no network connectivity and is stored in a lock-box while not in use for all of our key management. SSL keys 
are transported with a USB stick which is also stored along with the key machine. This makes it impossible for the 
security engineers to do any key management while they are not at the office (after hours, weekends, vacation, etc).

I would like to make the key machine accessible remotely but put some heavy restrictions on it. Some of the thoughts 
that I had were: 
1. Have a server in a raised floor environment with physical security as well as a server rack lock. 
2. Run some variant of Linux and require SSH key authentication to the host. This way I can enforce multi-factor 
authentication (ssh key and pass-phrase on the key). I can also make remote management be tunneled through the SSH 
connection. 
3. Have a VirtualBox guest be the keymachine. 
4. Setup an encrypted partition with a password on it for the Guest machine files and not have the partition mounted 
when the key machine is not in use.

Any feedback would be great!

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------