I understand that you also see the contradiction here. I suggest to generate intermediates from the old root certificates too, and allow the users to select them via alternate chain.
I understand that you also see the contradiction here. I suggest to generate intermediates from the old root certificates too, and allow the users to select them via alternate chain.