I am generating a certificate chain with a root CA, an intermediate CA, and a leaf certificate using the same signing key coming from a hardware security module. In all tutorials I've seen online, the 3 certificates are always generated using different keys. However, is it a bad practice to re-use a private key, which is stored securely, for all certificates in the certificate chain?
It is a bad practice which could lead to severe security issues and invalidates the concept of PKI hierarchy. Let's imagine a scenario in which your private key is compromised, in this case you will have to revoke 3 certificates including your root certificate authority.
A good practice is,
By this way, if one of the key is compromised ( entity ) , you can revoke the certificate using Certificate revocation lists.