[Freeipa-users] ipaCertSubject uniqueness check

I'm currently running ipaServer 4.6.8 on Centos7. I have an IPA CA, and an external CA for user smartcard authentication provided by a third party. I have used ipa-cacart-manage to add the external CA chain to IPA, and it worked fine. The external CA re-keyed one of the certs in the chain, and kept the subject name the same. So the key, serial, expiration are different, but the placement in the chain, the the ipaCertSubject are the same. Both the old cert and the new one are valid, and some cards have the old chain still valid, and some have the new chain valid. So if I go and try to use ipa-cacert-manage to add the NEW cert, I get "Failed to install the certificate: subject public key info mismatch" which I assume is due to the ipaCertSubject being the same (docs: https://www.freeipa.org/page/V4/CA_certificate_renewal ) Is this expected behavior? Is there a workaround? Or will i have to use ldapdelete and certutil -D to delete the old key, and then install the new key. In this process, the users with the OLD key will lose the ability to log in with their smart cards until new certs are issued to them. Thanks!