I' m wondering if you can stand up the FA as your Issuing CA and have it signed by DigiCert or someone else so that you can use it to generate certs and thus eliminate the need to purchase them individually? This may be an obvious answer to someone who understands PKI better than I. If someone knows of some deployment scenario examples (all I can find is " this is how you set it up" docs), I would love to read them.
I could understand how this might not be allowed when considering the traditional role of Windows based CAs where your Root CA and perhaps Intermediate CA is air-gaped and only brought online to sign the Issuing CAs.
Thanks in advance.