[wejn]

Because:

1. ACME is a dumpster fire prone to mitm attacks.

2. without HSM (an additional investment) it's super bad idea to host your root CA signing key somewhere.

[firesteelrain]

This is an internal, airgapped network.

We stood up the root CA, created the certificate, imported it, then destroyed the root CA. It’s a common security practice. Root CA can then never be compromised

[wejn]

If you destroy the CA, how do you issue new certs via ACME?

[firesteelrain]

Sub CAs or Intermediate CA

The root CA certificate is used to establish trust in the chain of trust, but it is not directly involved in the certificate issuance process once the trust has been established.