Video broadcast

Is anyone using EJBCA or CFSSL (CloudFlare SSL) for Private Certification Authority?

Used for a long time for internal systems XCA .
In a good way, everything suits: it is convenient to manage the CA hierarchy (root and several intermediate ones), generate and store keys and certificates at the same time, there are templates.
The main disadvantage: there is no way to automatically generate and upload CRLs and there is no OCSP support.
A well-known alternative is EJBCA- was not pleased. Firstly, there are problems with building under docker. Secondly, as far as I understand, EJBCA is focused on supporting a CA, whose users are "external" in relation to the CA. Those. the user himself generates the key and the request, then an individual signs it and the user himself takes the certificate. This is correct from the point of view. security and suitable for banks, etc. systems, but for a simple scenario (admin/security rolled into one) it adds a lot of unnecessary gestures - not convenient .
django-pki is not built under fresh versions of django, there is no desire to pick it up yet.
I have not tried r509 yet, I have never dealt with ruby.
pki.io seen, tried. Not suitable: there is a different ideology (rapid deployment of large infrastructure, OCSP imnot needed ).
The last thing I tried was CFSSL . It seems to work, I had to add a couple of python scripts to simplify the generation of certificates, I managed to set up the CA server separately from the workstation. Little documentation, no description of configuration files/profiles. The situation with intermediate CAs remained unclear. There is OCSP, but to use it, you need to sign the OCSP-response with a separate request and add it to a file on the server. CRL generation is implemented, but it requires an index file with a list of serials, and serials are only in the SQLITE database (this is a separate story: the field type is bytea, but sqlite stubbornly displays it as a float).
So the question arose: does anyone use EJBCA and / or CFSSL for such an internal CA? Or something else? Were you able to trigger automatic CRL and/or OCSP-responder updates?