We stood up the root CA, created the certificate, imported it, then destroyed the root CA. It’s a common security practice. Root CA can then never be compromised
The root CA certificate is used to establish trust in the chain of trust, but it is not directly involved in the certificate issuance process once the trust has been established.
1. ACME is a dumpster fire prone to mitm attacks.
2. without HSM (an additional investment) it's super bad idea to host your root CA signing key somewhere.