Did we need to hide the CA cert ?

I read about building PKI in vault and found out that the root CA is not present in vault but physical (USB, etc.). I understand that the private key needs to be protected, but I don't understand why we need to protect the CA cert.

For now, I'm using a self-signed CA (I don't yet use Intermediate CA or leaf CA), but I need to spread my CA cert over the computers that will use the certs signed by my …

building cert cybersecurity don etc found hide key physical pki private private key protect root understand usb vault