Pki: serve CRL for issuer with no key?

Hi, I have set up an online Vault Issuing CA with offline Root CA (also with Vault), similar to the Enable ACME with PKI secrets engine tutorial.

The Offline Root CA has been imported as an issuer, but with no private key. I therefore have two Vault issuers in my Vault instance, one with a key (the Intermediate CA), one without (the Root CA).

From what I (mis)understood, the Root CA was configured with its AIA information pointing to the Intermediate CA’s public endpoints. That is, I’ve done this on the Root CA:-

vault write pki/config/cluster \
   path=http://issuing-ca/v1/pki \

vault write pki/config/urls \
   issuing_certificates={{cluster_aia_path}}/issuer/{{issuer_id}}/der \
   crl_distribution_points={{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der \
   ocsp_servers={{cluster_path}}/ocsp \

The issuing_certificates location is okay, however the crl_distribution_points and ocsp_servers URLs aren’t valid as the root CA’s issuer on the intermediate CA instance has no key.

I was hoping I could import a CRL signed by the Root, into the Intermediate Vault instance, so that it can serve the CRL at the templated URL configured above. Is this possible?

The closest thing I could find in the API documentation is the section under Combine CRLs from the same issuer. But I’m not sure if this API call actually satisfies what I’m trying to do?

My only other idea was to spin up an Nginx container and have that host my CRL files. Not my preferred option, but I can’t see another obvious way around it tbh…

Any advice that you could give with how to handle the CRL and AIA URLs between an offline root and intermediate CA, would be really appreciated!

Many thanks,