An Offline Enterprise Root CA is usually frowned upon in PKI circles but this is the case with Root CAs installed on servers with their private key material. Standalone Root CAs not attached to a network are preferable but what about if your private key material for the Root CA is stored on an external network attached HSM where the partition is deactivated?
The presence of the network HSM means the Root CA needs to be attached to the network to access its private key which in turn counters the fact that a standalone Root CA server should never be attached to a network.
Does this mean that an Enterprise Root CA is ok in this situation or would it still be frowned upon?