Right way to create an intermediate certificate authority which is created through CLI without db connection

[thehellmaker]

Hi CFSSL Team,
First of all CFSSL is a lovely piece of software. Thank you so much for building and open sourcing it.

To start an API server and let it handle signing using intermediate certificate we first need

1. Create a self signed root ca using CLI cfssl gencert -initca
2. Create an intermediate ca using cli which is signed by root ca
3. Start api server with cfssl serve -ca and -ca-key option of the intermediate certificate along with a db config option.(I am using postgresql for my setup.)

Post which all certificates created using the api will store the cert details without private key in the postgresdb. This will enable us to call revoke on those certificates.

Since Root and IntermediateCA themselves were created using cli they were not added to the DB. What is the right way to setup so that intermediateCAs can be revoked as well in case of a breach since intermediate pem and keys are on the server and not air gapped like root ca?

One approach is

1. create root ca
2. start api server with root ca
3. call /api/v1/cfssl/newcert api with profile of intermediate CA
4. stop api server and then start apiserver with intermediate ca as -ca and -ca-key options.

Is this the correct way to do it?