I’d suggest to use XCA or try the new TrustCenter function in the PKI-as-a-Service portal.
The later allows you to use things like key domains and public key authentication to protect your key material . It also provides for typical CA processes, like role based request processing (e.g. RA officer approves request, CA officer issues certificate).