Key Changeover
CAs will not be re-keyed. CA key pairs will be retired from service at the end of their respective lifetimes as defined in ยง6.3. New CA key pairs will be created as required to support the continuation of CA Services. Each CA will continue to publish CRLs signed with the original key pair until all Certificates issued using that original key pair have expired.