Factory root CA as a company's intermediate CA certificate

[mike-sul]

fioctl keys ca create creates the factory CA (factory_ca) as a self-signed root CA. I, as a customer, would like to use my own root CA as a root of trust for each Factory PKI. For example, I have two factories registered at Foundries and Factory CAs of these factories derive from my own company root CA.
Maybe, having something like

1. fioctl keys ca init that generates Factory CA key and CSR;
2. customer signs the CSR, as a result, Factory CA/CRT is produced;
3. fioctl keys ca create --root-ca <company-root-ca> --factory-ca <factory-ca> (it merges both CAs into a bundle and uploads it to the OTA backend so it can verify the full chain for TLS and device CAs certificates)