You can just issue new certificates one per year, and otherwise keep your personal root CA encrypted. If someone is into your system to the point they can get the key as you use it, there are bigger things to worry about than them impersonating your own services to you.
I’ve heard this comparison so many times I ran some experiments. A number 8 1.5" coated decking screw inserted into two one by pine boards through the grain by a hammer holds about half as well as one inserted using a screwdriver. One hit to drive the screw is better than several, but a two hit approach (one to set the angle of the screw tip, the second to send it home) was most reliable. Drilling a pilot hole before hammering improves things pretty significantly, up towards 3/4 of the holding power of a driver driven screw.
On the other hand, even very slight misalignment between the hammer swing and the screw can result in failure, and the board was always more damaged by a hammer inserted screw.