An offline PKI enhances security by physically isolating the certificate authority from network threats. A YubiKey is a low-cost solution to store a root certificate. You also need an air-gapped environment to operate the root CA. Offline PKI backed up by 3 YubiKeys This post describes an offline PKI system using the following components: 2 YubiKeys for the root CA (with a 20-year validity), 1 YubiKey for the intermediate CA (with a 5-year validity), and 1 Libre Computer Sweet Potato as an air-g...