The CA does not need to be online. However, the CA public certificate may point to a web server which has revocation lists. This should be online.
Most implemenatations have a list of public CA certificates installed. Users can usually opt to trust a certificate even without the public CA certificate. The webserver will supply its public certificate if required. Depending on its configuration, it may server one or more certificates in the chain to the CA's public certificates. This can include the CA's certificate.
This mechanism can be used for other protocols based on TLS or the older SSL versions. Some other common protocols using TLS include LDAPS, STMPS, and IMAPS. It is common for servers of the base protocols to support StartTLS where the TLS is started on the normal unencrypted port.
EDIT: Most CAs distribute the certificates by Email or WebSite. These need to be online. There is no need for the signing certificate to ever be on a system connected to the Internet. However, it is much easier to avoid the Sneakernet and put it on a system connected to the Internet. This allows faster signing turnaround with less manual intervention. As we have seen, it does allow the signing key to be stolen.
In general, the key never needs to leave the system on which it is used. This applies all the way along the chain. What is important is to protect the key, the certificates must be publicly accessible to be useful. Putting keys on secure removable storage is an option but not without its own risks.
Having a secure password helps but for Certificate Authorities who issue high volumes of certificates, the password may be accessible to a signing script. This makes it easier to get both the key and its password.
Keeping the top level signing key offline and locked away in a vault is possible. A second level key can be used for signing certificates, and its certificate provided as a chain certificate. Recovering from loss of a second level key is easier than recovering from the loss of the primary signing key.
