This seems like a matter of signing a certificate signed by an actual CA with your own CA as well. If the relationship sours, you still have your own CA to vouch for it.
That doesn't achieve anything at a country level if trust stores don't include your CA directly. A country can't just push an update to all its citizens' computers to switch CA, it has to plan ahead for such eventualitites.