I think you need to gets your skates on and publish new root certificates soon.
If a root certificate is valid for 10 years, you need to renew it every 5 years, otherwise you cannot generate intermediate certificates valid for 5 years.
If an intermediate certificate is valid for 5 years, you need to renew it every 3 years, otherwise you cannot generate end user certificates valid for 1-2 years.
Your existing root certs are expiring very soon, (months away) and should have been renewed 5 years ago!!!
You have to also allow significant time for the new root certificate to be distributed to everyone’s PC, laptop, mobile phone etc.