Updated ca certificates not used

HC Vault version 1.12.1 has been setup some years ago with an external root ca certificate and an external sub ca certificate. From this, HC Vault’s own certificate has been approved.
Now, the sub ca certificate needs to be renewed. This has been uploaded to HC Vault.
However, when I create a new HC Vault certificate it is still approved by the old sub ca certificate.
Also, uploading the new ca chain with root and sub ca certificate did not solve it.
What needs to be done, so that the new ca certificate is “activated”?

With Vault PKI multi-issuer, a PKI mount can have multiple CA certificates. I’m assuming the PKI mount now has multiple CAs, with the old CA certificate still being marked as the default issuer.

You can confirm this through the following commands

$ vault list -detailed pki/issuers

Keys                                    is_default    issuer_name    key_id                                  serial_number
----                                    ----------    -----------    ------                                  -------------
4b77288a-af14-a380-89ec-73cbc5cca9e9    true          n/a            66eedf14-72e0-e25e-7507-727ec9addb64    17:63:61:7b:ec:e3:7d:29:22:89:eb:9f:5e:82:75:ea:92:76:cb:ec
b889f82d-2bbd-0988-b8f2-6044db36ee66    false         n/a            f5ae1e8a-247a-fb97-be58-3e7786086e79    27:47:d8:c7:aa:dc:1a:e9:28:22:fb:e6:99:20:c9:ab:23:d8:1b:f9

$ vault read pki/config/issuers

Key                              Value
---                              -----
default                          4b77288a-af14-a380-89ec-73cbc5cca9e9
default_follows_latest_issuer    false

Updating the default key within the config/issuers endpoint to point to the correct issuer should activate the new CA certificates for the APIs that leverage the default CA issuer.