diff --git a/dch-root-ca/dch-root-ca.crt b/dch-root-ca/dch-root-ca.crt
index e0235a5..6705c7a 100644
--- a/dch-root-ca/dch-root-ca.crt
+++ b/dch-root-ca/dch-root-ca.crt
@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ
-BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
-SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL
-MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO
-RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU
-T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G
-A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL
-0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
-DaY+6wQ=
+MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
+QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
+AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
+WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
+VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
+NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
+Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
+oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
+ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
+irIa697nfe4KiXIMwHlAMS1+1QZohFDC
 -----END CERTIFICATE-----
diff --git a/step-ca/README.md b/step-ca/README.md
index 9bd7c56..2b16b13 100644
--- a/step-ca/README.md
+++ b/step-ca/README.md
@@ -10,18 +10,19 @@ OpenID Connect, mTLS, and more.
 
 ## Offline Root CA
 
-The *DCH Root CA R3* private key is managed externally from Step CA.  It is
+The *DCH Root CA R2* private key is managed externally from Step CA.  It is
 stored offline (on a flash drive in a fireproof safe).  Only the CA certificate
 is used by the online CA service, where it is provided to clients to include in
 as a trust anchor in their respective certificate stores.
 
-*DCH Root CA R3* replaces *DCH Root CA R2*, which never ended up being used,
-and *DCH Root CA R1*, which has not been used for some time.
+*DCH Root CA R2* replaces *DCH Root CA R1*, which has not been used for some
+time.  *DCH Root CA R3* also exists, but it is based on an ED25519 signature,
+which is not supported by Firefox.
 
 
 ## Online Intermediate CA
 
-Step CA manages the *DCH CA R3* intermediate certificate authority.  The
+Step CA manages the *DCH CA R2* intermediate certificate authority.  The
 private key for this CA is stored in the `intermediate_ca.key` file, encrypted
 with the password in `password`.  This key pair is needed by the online CA to
 sign end-entity certificates.
@@ -29,7 +30,7 @@ sign end-entity certificates.
 
 ### ACME Provisioner
 
-Hosts can obtain certificates signed by *DCH CA R3* using the ACME protocol.
+Hosts can obtain certificates signed by *DCH CA R2* using the ACME protocol.
 The CA will only sign certificates for names that map to addresses controlled
 by the requesting client.  For most machines, that means they can only get a
 certificate for their hostname.  Other names can be added using DNS CNAME
diff --git a/step-ca/intermediate_ca.crt b/step-ca/intermediate_ca.crt
index 2d9815e..cd43652 100644
--- a/step-ca/intermediate_ca.crt
+++ b/step-ca/intermediate_ca.crt
@@ -1,15 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIICTzCCAgGgAwIBAgIUDNTFsSYYl8xsEcg9kTatxvOSkmUwBQYDK2VwMEAxCzAJ
-BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
-SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjk0M1oXDTI1MDIxNzIwMjk0M1owOzEL
-MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDESMBAGA1UEAwwJ
-RENIIENBIFIzMCowBQYDK2VwAyEA50stJ8iW6/f+uECPxAJwpSfQDRQg4/AgKJY2
-lpd3uNijggEQMIIBDDAdBgNVHQ4EFgQUtiqtFaZZ/c4IfWXV5SjJIOPbmoowHwYD
-VR0jBBgwFoAUtmjEAcG9apstYyBr8MACUb2J2jkwEgYDVR0TAQH/BAgwBgEB/wIB
-ADALBgNVHQ8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEwG
-CCsGAQUFBwEBBEAwPjA8BggrBgEFBQcwAoYwaHR0cHM6Ly9kdXN0aW4uaGF0Y2gu
-bmFtZS9kY2gtY2EvZGNoLXJvb3QtY2EuY3J0MDwGA1UdHwQ1MDMwMaAvoC2GK2h0
-dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1jYS5jcmwwBQYDK2Vw
-A0EAACaKAJAKejpFXQV+mgPdDXaylvakc4rCEs1pFhPXbbMMGflNOeiiy+c+aMwt
-yfObaZ8/YiXxCSjL6/KzRSSjAQ==
+MIICCTCCAa+gAwIBAgIUZx82NjARN6f1jWUlq/mvaF7oscEwCgYIKoZIzj0EAwIw
+QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
+AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMxMDE2MDU0MTA4WhcNMjYxMDE2MDU0MTA4
+WjAUMRIwEAYDVQQDEwlkY2gtY2EgUjIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AAQ1rK98igj6Y5lbeP8HS1zqQCtkcmz8uk1jp4VgznWT3Q8BanjA55UHQi/xx4xz
+BYu4QIkJhtqcR5a7YXSr7fQvo4GyMIGvMB0GA1UdDgQWBBQGy1GZZxrCjGDiIGdR
+YhTMZZqhkTAfBgNVHSMEGDAWgBTM+d8kb1koGmKRtJs4gN9zYa+6oTASBgNVHRMB
+Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBhjBMBggrBgEFBQcBAQRAMD4wPAYIKwYB
+BQUHMAKGMGh0dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1yb290
+LWNhLmNydDAKBggqhkjOPQQDAgNIADBFAiEAovkqUlWkbRXsoHrDv1AfHdox9gS2
+Fdq9wKfDk7H/aPoCIDs4CJBhdPh/a+HZZRQWxBTT3KbbdXAaiT+g/VyD+0qt
 -----END CERTIFICATE-----
diff --git a/step-ca/root_ca.crt b/step-ca/root_ca.crt
index e0235a5..6705c7a 100644
--- a/step-ca/root_ca.crt
+++ b/step-ca/root_ca.crt
@@ -1,11 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ
-BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
-SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL
-MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO
-RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU
-T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G
-A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL
-0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
-DaY+6wQ=
+MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
+QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
+AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
+WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
+VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
+NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
+Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
+oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
+ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
+irIa697nfe4KiXIMwHlAMS1+1QZohFDC
 -----END CERTIFICATE-----
diff --git a/step-ca/secrets.yaml b/step-ca/secrets.yaml
index 31e9626..92dab1f 100644
--- a/step-ca/secrets.yaml
+++ b/step-ca/secrets.yaml
@@ -10,8 +10,8 @@ metadata:
     app.kubernetes.io/part-of: step-ca
 spec:
   encryptedData:
-    intermediate_ca.key: AgA4MOOCi8WvBSqyGw6T1wrK7zGgC7kvHYNpgZpZlBq3ZcW4l2d/huT7SbpIUQZN8OhLsgsZqK73VisFRsTG//KrMsJ+CCv6DSpaoEEL0LzUFWVldK27oZ3CDfAo6pZS50M8DSzcA7foxvw7++DSnytS9ken6qu2Azf3iFOFetES23XMT7IIFfcJz+qgBVGIOrxYULj19Y3EZD++kgRM22pCSrnoOQHJV3DOE6SjMZfg9Nhbg7Z5jrpsoM5w7QXd3g8jfsOS0Yv+95CL5SgTtJBAPqVi/2bK7nPuQxGFBy/qhwktzeeagOgFwe5McnEL0aB8K7GQEhOeIiHNSf/AAffronCdGapHQcthAA9CD3P4qXHogiY6x6JgqOXaZ3/BNF4gIlEJoJV36Z51BZUpZLakqOcxw2XNungITq4XMZqUybyqq/oHZEjcqqwSgeHtGJ7aaCAdV1AK4J8kNYXSs0+JcKU+1BzCDTB2YY1nT3uXz5g2d6eLlAe3S6pLDBdZGfyXv4e/nS9ouhdQm9qknNt2hqLAkm5u2g0C6MWYqgCKKdWQBg0JrLvN799zOj5FOGFOEa+gA2t6WwpVeiuo/6Xhn2WtkU710cXdblROM/DWoiI7YUxG4GsmzZOG/1TsbGTPoP1+evxD+VxCIOag6yxBCHnrpUVyCwdp7GLH/+72KyKClhJLb/ub/MKKVTlsWk0JhP3EhfvChO4tbeFMjeGt7afuKKghRt3ZXjAAZFW28qx5oLvirRoUSKOdEU+jE0RWFFeB0Qac9Hz9BFM5iAhdlcpGOOi5bGeMqR/nGlTRV9oUENeopiHBvVXfXr88yumVDE7FzXy4RyC4hypQFddS7kVR3MYoA9c6hWrCAAiuooOKa1JhdfhdlvlQij9PAJW921ClBBXcB2ykcivcrJd6GPAzCHOj6cQjUDeTwarKqZGf1PdtNnCsU1r1V0MOqyuhNjZZ4ZoGEGlq3r3TJY8Hh/+w//ZTpbvHpTUD2rhQjXuVyzqBpU2z5SoFt23U7sV/8+LizZMKfJl9fveJU/CbZ3bGC756ZhpHykbX7bgy9Q0iBg9ke1w+7lepsZVZKhlfnQ==
-    password: AgAspVB0c402ymidL6YoRTRtmPekLZHlQXtZecftoakjm75OArueAnH+1dquknV4MJ7g8XUVLkguh4lKkNPxjCs2Jen5UM+aSxoqii/2KdTAIb1WINebDOhyj3lY8aZw9+qeDfc5590+x+8jASwm7rVf6QfGygdjwQ6D6xeNUC7xwU3bC8xH9mHq2wSKbI6iGAik4Di7Ma4bvm/nTNfB+Ogb7rdLoJsvDDFbZ1io3wWNJGsWleged2HRPPwkmGq7pkxE2xUpjgbqeWX0y8RbNLC6DwsE3mUce9hanfLvxJVCDMnbUKfUYUxULBMFpheT6lmyz1YgFu+NiuSFvX3An4PNfgeQ2Hl931qfoG9h2kX4wyYcJt0ELZ2tdcrSS7zWgNNx450LuWmGQPvhApLhH2U7CUsSrjbWS/NZKMHuZryp0sEtykoEOOtNezU5slSY/0aB9XWFDu78RaYJOZy1VqGy+ulWkhCFv+3D2MEF6JJXmI4RNTdWmUQx1hr85uTS9Xi6stovkLMHxrEJfDI581yZv7Z9DrSssp5U4Ydf3gjKN7UTgFXrSz25R7SJ4lYso7yHhka9L2YMuIuPS7iPg1F+RPjiG6KAxP3roqRfeMXP3LoDn/21pYsO1QNrq2fBLXaO8Wq0hRXaICZzGveWdeM8sIbjBNqxjb50YtmkF/bDI8BY/sogPWitzDDyNU3bVS5Qyl0AaTHasGzJ9Es26Q4C0GHLd3iVQq0GTSsmtUbZGg==
+    intermediate_ca.key: AgBArqvWXQHJwubw/7jOBtErH4BNpq+B1nsoTuhsmmE7COhRROko9wwYcfLfeJHkul1uXmp6JNmAde2xs6uJlbHwTDIRlUld2tAo2O20PHaDNq8/poqkk7LNnvjbwC73tul+Gxiot8WEfFM4eP98wYHePrX6q0/LAzyH/6Js8YgBKzLt4sIRi5E49m0C2s9uy5u1e3DcHNZTIlkntYi8zNmk+QEBHkqkeqvdGZ+yqH5e78AasF4qPfKw7WoFm3PH2/tKRfDpBXfvdTxrRy9FzqmmhdGVmbaeQcJ+Yl8H6qNd1BiqpAPkIDwAC9/LfH4Sd/iM59TdeOKsZpvEJZOyWLm1KbJz13wPfnGs/QvArwtuA95UQfzPYGFx9qur/nz3nsBvTvqFyAU+QHGSOnjig5ZppIb+Yr9foWuSqDV0qcfXEdjLzyc19lzS1e+itRLR1414Maaru4poPcg7xUQCs88oGvYAUi27p8xRXynGXtZwTK/GSWXFGxkzw1DtVcbGa/P23sCSnMLOsrajvvJYD2aCHZ6fKSUT+tddCoZhohM112uA6wNWBUx00uFgWUGZloe6MPVHnCStAwBxClXi+pREnSEk091nuSYzsTZarweUOJs8tLO2g2bEQ2BQCsCMbkNLjc6SSJa+Lu2Yb7uCUdwbLAZDf289f8SGmzsf/C7/Xbcmu0smrf5bb6ZUnacrWtCgrnPRJNMSXCY51awo3cj9c3X/v6pQVbjj+fTxDUIIaI9OcfvPJksapgsR8Olqffi8SlN3fvETOmVGVNAK11xy7qMmpz9Fck3z93NXUDNHMxteVic+8aHZgwv4wh+ixMldtCBiGWciavKWd7APSQjyvDwT4tTIi7QWa78+CBz/0Z3eDwDUHt5ryXlWeYRufrOTsGQJ9cfQgr8STgC00oghUaAtZ8y3cIOdVrwDCe1Yi9Dp2KlxzLLa+zYdagbmb8ygOZg65yW0Oy3q+sD1MSkrUQi/RDPjRB8kF+4t2MIZ00jQ7geIkhnh3TvislEqHbV5ZjKBZ2Gw4An+q4CB4EtM0DYKGGw7xvPyCqvs9E7WzSxyGL8+dNkEw/jASoHwJcufaXDXFgENuLn7OyCpsMMBZYti+V9SIOTNOQ==
+    password: AgAnwKicJ7yut9B3J22XYdqzGzHxh3kXCAozIZu9v1IxSTWb1txkF1aJM64ooog/IpUtoF88v6XzGTDDsAsbXtQbu7Y2s77zQXIOIj+Vri2kZAQyRdCDa70heUdPxo9haIizZvtJHH+dRxVqQ+YSXpPlbLag46RMvMHlUZjbPLxwTrOWVwHW2uVJJke7RiB99z1xOIV8nlD0NjdH9Ig1pnUikm4+GfiZBw/PjieYbjk5U8IABBfx1jjJPLFk2TlzsCyz8JyGr+Gf8DvCxRS43Wwtbn0ks2aFn/eZBMHK+XatjImtYSNUa4eIbjHD1RdQ03yZy83D8LdpYMl+z3PLYLrdIDkv7VBT875KjHoYGIMdjSkuNHuooOcdyJrN7bMRpODfzTXREoiY+4p1wHbLlOXOubxY/ULV6FAIMe9RSWVhmWMxV1INYwZuoNUr2pa29rBrIinF8Hc5Kcr2lhEZ9kpnrkC4MFpMjdW7QsOhpFnW2hIE2xWXc/vZgQ6q+8jJrMQwwrGcn+CEaFTSoVsXYaBwUnsOzMCNyHaNfyX03eQE9wNlXz0dppGoHJpb5ny+fviMhFS6kEXiieElRaTL8erGr0Ivtn+St5RaqD8mDpP36YrQ8YWpTMoyLSllRG4X1hiCorcjevZq2pJuP5+hs0HhtVW9vZS3iLGzHzjqyMJDvlml6Xd+AyvoylC38uncivF8NtHhIoeAgzlOZjYRxodPkLxAOfoVTlCzMexH+fsShwM=
   template:
     metadata:
       name: step-ca