@sofiaritz oh I've been running my own constrained root CA since November. The root is stored on a Yubikey with a pin and touch policy. I have a repo with docs on how I did it. https://github.com/scj643/yubikey-openssl-ca I use Hashicorp vault as my 2 intermediate which are split into a server and client usage constraints.