The first step to get a certificate authority (CA) for Intune is to create your CA in EZCA. The following page will guide you on how to do this.
Intune SCEP only supports RSA keys for the issuing certificate authority.
For Root CAs we recommend to have a manual Lifecycle since the new Root will have to be added to the trusted root stores of your clients which requires manual steps from the IT team.
This value will override any value that you set in Intune.