You can also use certbot on the subdomain servers if they are on the Internet, to auto-renew individual subdomain certificates. To run a "real" CA you need a lot of opsec and infrastructure regardless of what software you use. For basic dev-level purposes, CA.pl works and has been around forever, though I'm sure there is better stuff out there.