Is it safe to publish a private CA's root and intermediate certificates?

There's a reason they're called "public" keys. :) There are hundreds of Root CA certificates bundled with your operating system, etc. If your attacker can factor your public key, you've already lost.

The only concerns I'd have with a private CA are whether or not you expose information about your internal structure that might be useful to an attacker. e.g., details about who operates your CA, particular servers that have the CA private keys for signing...


Building on @David's answer, it depends what's in those certificates and whether you consider that information to be sensitive. For example, this is probably not sensitive:

cn=Root CA, O=ebr, inc, C=US

but this might be:

cn=AWS subnet 101.102.103 Issuing CA, OU=Backend Servers, O=ebr, inc, C=US

Also think about whether the expiry date of the issuing CA is sensitive information, because an attacker will know that all certs need to be rolled over around that date. Is there an OCSP or CDP entry? Does its URL leak info about your network structure? Etc...

Bottom line: In all likelihood, CA certs are fine to be public, but you should open the cert files in a viewer and make sure there's nothing in there that you would rather keep private.