Re: Subdomain security
a) Because certificate revocation is broken and doesn't work (see https://scotthelme.co.uk/revocation-is-broken/)
b) Why do you need your own CA to do that? You would just need any CA that you can automate the revocation
c) If you've got the ability to create such an automated process then why don't you automate the process of removing the entries from the DNS? Better to have the subdomain nuked than just the cert for it.