In effect, no. Such a "rotation" requires all clients trust the new root. Your PC probably gets software updates every week or every month, maybe your phone gets one a month or per quarter (until support runs out). But how about your smart TV ? Car ? Internet-connected Doorbell ? That IP phone you disconnected last winter and forgot to re-install ?
Big CAs tend to ship new roots periodically, in addition to their existing roots, so as to begin gradually phasing over, over a period of several years. So e.g. HugeCA mint a new key in 2001, the major trust stores decide to trust it in 2002-2003. In 2005 HugeCA offer certificates from the new root to customers who prefer the new root and understand the risk. Unfortunately these customers see high failure rates, e.g. the all-in-one printer scanners from a big name company they used in their offices have firmware last updated in 1998. In 2008 HugeCA confirm the big name company printer/scanner firmware update is complete and begin in 2009 selling these certs more widely, there are a few hiccups, they don't work in Windows ME which one customer insists is "the latest version". But maybe by 2011 HugeCA can announce retirement of the old CA root with a retirement date of say 2015.
Yes, you can do this, particularly it can make sense for a long-lived CA to have root #1 sign a certificate for root #2 as-if it was an intermediate, so then you can bring root #2 into use but older clients can trust it by sending them that intermediate certificate, while newer clients should rely on their direct trust.
Some older clients unfortunately can get into a state where they distrust root #1 (e.g. because it is old) but they know it exists, and so even though they trust root #2 they can see this alternate path via the intermediate to root #1 and reject the whole mess. People shouldn't write software which does this, but they did.
In effect, no. Such a "rotation" requires all clients trust the new root. Your PC probably gets software updates every week or every month, maybe your phone gets one a month or per quarter (until support runs out). But how about your smart TV ? Car ? Internet-connected Doorbell ? That IP phone you disconnected last winter and forgot to re-install ?
Big CAs tend to ship new roots periodically, in addition to their existing roots, so as to begin gradually phasing over, over a period of several years. So e.g. HugeCA mint a new key in 2001, the major trust stores decide to trust it in 2002-2003. In 2005 HugeCA offer certificates from the new root to customers who prefer the new root and understand the risk. Unfortunately these customers see high failure rates, e.g. the all-in-one printer scanners from a big name company they used in their offices have firmware last updated in 1998. In 2008 HugeCA confirm the big name company printer/scanner firmware update is complete and begin in 2009 selling these certs more widely, there are a few hiccups, they don't work in Windows ME which one customer insists is "the latest version". But maybe by 2011 HugeCA can announce retirement of the old CA root with a retirement date of say 2015.