I found a solution to apply CA safely to users:
“The root certificate private key is offline, so this one can’t be stolen.
It was used to generate an intermediate key that is stored in a TPM.
This intermediate key is used to generate short lived “edge” certificate that is only valid 5 days and is regenerated every day.
The edge certificate is transferred encrypted and stored in memory only on our DNS edge servers.”