How to propery use CRL for two root certs?

Hello

We have an OpenVPN host with a number of clients connected. Our root certificate is near end of life so I generated a new one and began to issue new client certs over it. I made a "combined" ca.crt with both old and new root certs and use it in OpenVPN config to enable both "old" and "new" clients connection. It works fine

Sometimes clients goes away and need their certs to be revoked. We have "crl-verify crl.pem" statement in OpenVPN config to handle this. The problem is CRL generation. If I revoke a "new" client cert and sign crl.pem with the new root cert it works, the client can't connect anymore. If I revoke an "old" one and update crl.pem signing with new root it does not work. I can see the client cert serial number in crl.pem, but the client *can* connect. I see a log message "VERIFY WARNING: unable to get certificate CRL". It seems I need to have two CRL's: one for "old" clients signed by the old root and another one for "new" clients signed by the new root. How can I have two CRLs in OpenVPN config?

regards, Ivan