My tests show this approach should work 
- Sign in to GitHub · GitHub
=== RUN TestKeyRollover
=== RUN TestKeyRollover/Missing_account_URL
=== RUN TestKeyRollover/Missing_new_key_from_inner_payload
=== RUN TestKeyRollover/New_key_is_the_same_as_the_old_key
=== RUN TestKeyRollover/Inner_JWS_signed_by_the_wrong_key
=== RUN TestKeyRollover/Valid_key_rollover_request,_key_exists
=== RUN TestKeyRollover/Valid_key_rollover_request
=== RUN TestKeyRollover/Valid_key_rollover_request,_added_ACME13KeyRollover_compat
=== RUN TestKeyRollover/ACME13KeyRollover,_legacy_rollover_request
=== RUN TestKeyRollover/ACME13KeyRollover,_Missing_account_URL
=== RUN TestKeyRollover/ACME13KeyRollover,_incorrect_old_key
=== RUN TestKeyRollover/ACME13KeyRollover,_Valid_key_rollover_request,_key_exists
=== RUN TestKeyRollover/ACME13KeyRollover,_Valid_key_rollover_request
=== RUN TestKeyRollover/ACME13KeyRollover,_Valid_key_rollover_request,_legacy_compat
--- PASS: TestKeyRollover (1.25s)
--- PASS: TestKeyRollover/Missing_account_URL (0.04s)
--- PASS: TestKeyRollover/Missing_new_key_from_inner_payload (0.04s)
--- PASS: TestKeyRollover/New_key_is_the_same_as_the_old_key (0.06s)
--- PASS: TestKeyRollover/Inner_JWS_signed_by_the_wrong_key (0.05s)
--- PASS: TestKeyRollover/Valid_key_rollover_request,_key_exists (0.05s)
--- PASS: TestKeyRollover/Valid_key_rollover_request (0.05s)
--- PASS: TestKeyRollover/Valid_key_rollover_request,_added_ACME13KeyRollover_compat (0.05s)
--- PASS: TestKeyRollover/ACME13KeyRollover,_legacy_rollover_request (0.04s)
--- PASS: TestKeyRollover/ACME13KeyRollover,_Missing_account_URL (0.04s)
--- PASS: TestKeyRollover/ACME13KeyRollover,_incorrect_old_key (0.04s)
--- PASS: TestKeyRollover/ACME13KeyRollover,_Valid_key_rollover_request,_key_exists (0.05s)
--- PASS: TestKeyRollover/ACME13KeyRollover,_Valid_key_rollover_request (0.05s)
--- PASS: TestKeyRollover/ACME13KeyRollover,_Valid_key_rollover_request,_legacy_compat (0.05s)
PASS
ok github.com/letsencrypt/boulder/wfe2 (cached)