I remember running into this at a past employer where TLS certs were core to the business. It happened on a New Year’s Day, and I spent a lot of that holiday trying to fix it.
https://hacks.mozilla.org/2019/05/technical-details-on-the-recent-firefox-add-on-outage/
Follow
The core problem is people mostly only think about roots and leaves; it’s not until you get bit by this that it starts to become institutional memory.
The problem is intermediates are often signed for ~3 years - just long enough for a lot of the engineers who set them up to have left or to be mostly forgotten because they just work. Three years comes faster than you think...