SCEP allows a transition period for devices where a staged new (rollover) Sub CA certificate can be propagated to devices before being used for leaf certificate issuance.
(The purpose of the rollover certificate here is not to enable automatic trust in the new certificate if the old one is available. The trust is established by trusting a CA higher up in the chain.)
Current workflow is centered on leaf certificate issuing CAs that are external, but the issuer of such SubCA could also be colocated. For example:
- The CA issuer could be inactive except for during renewals
- The leaf issuer might use less expensive storage but more performant storage for its private keys and hence required to be more short lived.
In the latter case, automatic creation of the staged new CA certificate could be relevant.