I need a certificate with CA=True or KeyUsage=CertSign
The above key constraints mean that the certificate is allowed to issue signed certificates. It is not possible to purchase a publicly trusted certificate with these constraints from any Certificate Authority.
If such a certificate were issued it would be possible to sign an end-entity certificate for any domain and it automatically be trusted by browsers.
This creates a significant security risk as the owner of such a certificate could simply just issue a certificate for google.com or paypal.com and inspect all traffic between the user and the server.
The main reason for requiring such a certificate is to install on a firewall type device that performs deep packet inspection. This is essentially performing a Man-in-the-Middle attack on the end user using the firewall by breaking end-to-end encryption for that user.
The only option is to create a self-signed certificate with these key constraints and then add it as a trusted certificate on all the end user devices connecting through the firewall either via a group policy or asking the end users to install the certificate.