HTTPS Signing CA should be restricted
The HTTPS Signing CA should be restricted to Enhanced Key Usage Server/Client Auth, Basic Path Length Constraint = 0 and no private key download should be allowed.
The Certs signed by this default CA are (or should be) used only for Server/(Client) Auth?! Currently the CA has no restriction for Enhanced Key Usage and Basic Constraint path length. So a (compromised) CA could offer certs for any purpose and build unlimited SubCAs.
[The Path len may not be so vulnerable, because keyCertSign isn't set]
Also it shouldn't be allowed to download this CAs private Key. For what purpose (other than compromise) should this be good for?
Also if you fixed all of the above with an own created (Sub)CA, the last part still allowes any admin to compromise the private key.
Best way here (and elsewhere) would be to let the utm generate a CORRECT csr and store the private key internal.