It really depend on the threat model - meaning, intuitively, I want to say that I would like to have HSM protections for the root CA. So either support for systems like Azure KeyVault or PKCS11. This will make it almost impossible to extract the keys and give built-in audit capabilities. As this is the root of trust of the authentication, this is pretty important.