Very interesting. But I think the root key and CA should be done offline, that is, on a system that is not networked. Then the "end user" private key and CA may be generated offline and moved to online. Ditto with the OCSP signing CA for the OCSP server.