Use a Sub-CA as "Root-CA"?

[maikxmh]

Hello,
first of all - that's a very nice project and i'm happy that i found it!

I would like to add a Sub-CA certificate as "root-CA" so we don't need the roll out a new root-CA..

I'm able to upload the Sub-CA and key and generate a new Intermediate.

When LabCA restarts to finalize the setup boulder throws an error like this:

labca-boulder-1 | 2025-08-14T12:29:49.498863+00:00Z boulder-publisher[215]: 3 boulder-publisher q47sqAU [AUDIT] failed to load chain.: final cert in chain ("CN=<hidden>"; "labca/certs/webpki/root-01-cert.pem") must be self-signed (used only for validation): crypto/rsa: verification error

I tried to change the config in pubilisher.json and wfe2.json and add the real CA to the chain. But the config files get overwritten during startup..

Does anyone have the same problem?

Thanks!

[maikxmh]

I asked the same question here letsencrypt/boulder#8358 (comment) - may it would be possible to change lab-ca so the root key is optional and we are able to add a sub-ca as intermediate?