It's the same thing of root/intermediate TLS certificates. You basically store the root in the safe and keep the intermediate online, so you can use it sign stuff (eg: generate certificates for customers' domains). If the intermediate is compromised, you revoke it, get the root and generate a new intermediate.