There are many possible designs for CSUs; here is a description of one
design found in some current implementations. The CSU is activated by a
set of data keys, which are physical keys capable of storing digital
information. The data keys use secret-sharing technology such that
several people must all use their data keys to activate the CSU. This
prevents one disgruntled CA employee from producing phony certificates.
Note that if the CSU is destroyed, say in a fire, no security is
compromised. Certificates signed by the CSU are still valid, as long as the
verifier uses the correct public key. Some CSUs will be manufactured so
that a lost private key can be restored into a new CSU. See Question
3.3.10 for discussion of lost CA private keys.
Bolt, Beranek, and Newman (BBN) currently sells a CSU, and RSA Data Security sells a full-fledged certificate issuing system built around the BBN CSU.