Custom root cert for kubeconfig files
Is it possible to have multiple/custom root certificate to be used for group of users/kubectl/config files?
No, there's only one "root" certificate, that's why it's called the root.
However, x509 is a chain of trust, meaning it's quite possible to issue subordinate CAs under that root, then issue the user certificates under those CAs, choosing to remove the subordinate CAs when the project ends, which will orphan all those leaf certificates. Be aware that to the very best of my knowledge changing the certificates or their chain requires restarting the control-plane, since it does not hot-reload those certificate files. I believe there's a GitHub issue for it, just like all the rest of the 15,000 of them
The other choice, depending on your needs, is to issue short leases for the user certs such that the "revocation" process isn't so much altering the x509 chain of trust as much as it is just failing to reissue a credential. That's closer to the Hashicorp Vault and Let's Encrypt school of thought
I have personally implemented the 2nd one (using Vault), but I believe the first one is possible because the apiserver uses x509 chains for some of its in-cluster component auth, so I don't see why you couldn't similarly take advantage of that mechanism
I know this isn't what you asked, but using x509 for transient auth like that is the road to ruin because -- as you are experiencing -- both sides, issuing and revocation, are a huge pain. If it's at all available to you, the OIDC auth mechanism is much easier to reason about and kubectl
has more-or-less built-in support for it