Our roots are kept safely offline. We issue end-entity certificates to subscribers from the intermediates in the relevant PKI applications.