alt Hacker NewsIt's not that high of a requirement. The sub-CA is allowed to self audit. But the original CA does have to check a percentage of certificates issued by the sub-CA.
So that's not going to be free. But it might be possible to do it if you were big enough to pay for it. I have dreams of having my private CA also signed off on by webpki so apps and browsers could use the same servers without having to include webpki in my apps.
Not that I really work on such things anymore.
I also started going down this rabbit hole when I wanted my homelab to just work in any device, and for advanced use cases Let's Encrypt isn't enough. I tried long and hard to get a sub-CA certificate, but apparently that's in the realm of «if you need to ask, you can't afford it».