Do you offer wildcard certs for subdomains (i.e. *.news.ycombinator.com)? I believe I had some trouble with caddy's tls internal directive when trying to do something crazy like this. Maybe you could mention it as your differentiator too.
EDIT: I currently use mkcert with caddy and it works fine for this.
Any reason why? That could limit the usefulness of the solution, I'd think.
Do you allow issuance of not-hosted-by-anchor CAs for TLS inspection, for example?
(Full disclosure, 20+ year veteran and CTO of big-CA-you-probably-know, but I really like how your product looks - just need a bit more time to explore!)
People do weird things with private CAs. Be it for testing or corporate shenanigans, they do want to issue for domains they don't control, data they can't verify, internal identifiers etc. - all in contrast to public/webPKI. This is fine, there's no real downside to letting them do it as it's a private CA after all.
The other thing wasn't cross-signing (not gazing into that abyss!) I just meant issuing a CA from the private root with CA=true so that it can itself issue certificates. Commonly used on MITM proxies/TLS inspection devices - sadly more common than you think, but again no risk to anyone outside of that enterprise. I believe even in some business areas, it's basically required to TLS MITM your users (finance).
Happy to chat more off here if you'd like - email on profile for personal or nick (at) sectigo dot com.
EDIT: I currently use mkcert with caddy and it works fine for this.