Question: In a two-tier hierarchy CA design, what is a common security best practice?

1. The issuing CA servers are placed in different geographical locations.
2. The intermediate or policy CA server is offline.
3. The root CA server is offline.
4. Only FIPS-compliant hardware security modules are used.

Answer: The correct answer of the above question is Option C:The root CA server is offline.