FGT SSL Deep Inspection e.g. needs a sub ca cert to work...
Your not even 100% correct here and providing mis-leading information or confusion.
I've done SSL inspection with both a single rootCA or with a intermediate certificate ( aka subCA ) on fortigates and a host of other firewalls vendors fwiw. ( btw forcepoint NGFW seems not to work with intermediate from my experience and testing...keep that in mind if your doing a PoC or Bakeoff between vendors and have a heavy dependence of SSLvpn or SSL inspection and deep-chain, the support/development teams knows about this but I highly doubt the sale teams explain this limitation with the CA-depth, & yes this is me griping about this limitation
in the SSL inspections, the certificate can be either a root-CA or intermediateCA certificate , the former is more ideal in the big organization, but I've seen various avenue and topology used by private-CA for SSL inspection.
Either way that you go , the chain has to be trusted by the end-user ( i.e OS , browser )
In most of the top orgs and fortune500s they using MicrosoftCA or generate it's own selfSignPKI infrastructure commonly by using openssl ( that's what I do ), when you go to a commercial CA for this, all they are doing is managing a "different chain" for you that is NOT the general public-chain that you see in the browser or the OS level.
They are NOT going to just give you a rootCA for SSL inspection or resigning of intermediates fwiw. You can't go as a individual and say I want you to give me a root-CA. Now if your a big business ( i.e fortune 500, mil,edu, NSA, etc...) they can build you "your" PKI-CA & can build you a PKI infrastructure and give you rights to issue example server certificates . I just did that recently with Entrust and Globalsign. They call this service typically a "custom-CA or custom-ICA ...IntermediateCertificateAuthority " . They manage a complete PKI down to OSCP and CRL.
But a generic user like you or me, is NOT going to get that nor would it be cost effective to buy into that program or design as a generic end-user. We are talking about the TOP organizations or business
( i.e millions of dollars ). These organization are signing thousands of CSR for various needs and reasons.
Keep this thought in mind , "all public CAs are really self-Signed" the only difference from your privateCA or let's say your custom-ICA if you went that route, is yours is NOT a publicly known or recognized ;).
The public CAs are paying the OS and browser vendor ( i.e firefox ) to be installed as a trust component in that systems. Technically speaking probably 100K public_CAs exists ( probably more ) but not all of them are in your window OS or Firefox browser as a accepted CA.
And finally, just guessing probably 1million+ CA existing ( public and private sector ) again not all of them are pre-installed into your end OS device or browser ;)