How is the PKI CA chain generated?

Vault
20

I, too, am struggling a lot with getting cross-signing to work and specifically the tutorial mentioned in the opening post. I think I have a major misconception in my understanding, so I’d appreciate any help.

The situation:

  • I have an old, self-singed root in vault, let’s call it oldroot that is about to expire. It’s on it’s own mount.
  • Many servers serve https with certificates signed directly by that oldroot
  • Many clients (browsers) have oldroot in their trust-stores. I can’t easily add a new trusted root CA cert to their trust stores and I want a grace period to test a new solution before oldroot expires, at which point I have no choice but to add a new root CA to their stores
  • In the mean time I want the new root CA solution on new clients that will include its cert in their trust store

So my thinking was:

  • Create a new self-signed root CA called newroot
  • Create an intermediate authority in vault called int-2025
  • Sing that intermediate with oldroot
  • Cross-sign that same intermediate with newroot
  • Transition the servers to serve the new chain that goes newroot -> int-2025 -> server-cert (or does it have to look differently?)
  • Hopefully have the servers serving the new chain work with both new clients, that only have newroot in their trust stores and with old clients that only have oldroot in their trust stores

But I can’t get it to work no matter what I do. Here is my best effort config script to set things up based on the tutorial.
Is there a fundamental flaw in my thinking or some trick I’m missing? Should that in principle work and I must look into the details?
Technically, a cross-signed intermediates, as far as I understand, is two certificates that share the same key material and common name. One is singed with one root CA’s key, the other with the other root CA’s. Do I have to serve both in the server chain?

There’s definitely some sharp edges here and things the tutorial glosses over, but I’m also doubting the fundamentals of my understanding. On top of that, there also seem to be some bugs that make life harder.