Thanks for the clarification! You might want to add that point to your technical how-it-works section[1]. I was wondering how older browsers would accept a new CA's signature.
Also, I really wish AOL would have donated their root certs to y'all[2] so you didn't have to set up a whole new CA.
I don't know why AOL keeps being brought up, but it's highly unlikely they would do this. For one, it's probably used internally for smart cards/SMIME. Secondly, it'd be very hard to get AOL to spend money on doing something for free. Moving a CA to a different company is no small feat, operationally...