I am about to setup certificates for our company. Initially for openVPN, but later for other things. I have been trying to decide where to put the CA. Ideally, I would think it should be on a machine that is isolated from the network. In many ways this is impractical or at least very inconvenient. How does everyone else deal with this?