So if I understand this well, I would create a signing CA from my root CA then use the signing CA to create my device certificate and finally provision it to the secure element. Would the signing CA also need to have the jitp template attached to it ? And would the signing CA also need to be provisioned to the device ?