My Client does some certificate management, so I have questions about organizing the current root/intermediate certs.
- X1, X2, X3, X4 - original naming scheme
- E1, E2, R3, R4 - new naming scheme with non-overlapping numbers
- despite R3 being deployed before E1:
- they are in the same numbering system
- 3/4 are signed by ISRGROOT-X1, 1/2 are signed by ISRGROOT-X2
Also, in addition to the above... a properly operating client shouldn't have any issues with switchovers from X3/X4 to R3/R4. (A new Fake-R3 would have been nice on the staging server though!). When E1 starts issuing in parallel, then clients will need to adapt (related thread Questions re: Beginning Issuance from R3)