TLS certificate rotation for an orderer node - Cryptogen to Fabric CA

Question

I have been working on rotating Orderer node certs from cryptogen to Fabric CA. I have been following the official documentation here- https://hyperledger-fabric.readthedocs.io/en/release-1.4/raft_configuration.html

Below are the steps that i have tried till now -

1. generate new certs with *fabric CA server for each of the nodes.
2. update the configtx.yaml msp path with the new msp path created for orderer.
3. create new Orderer.json based on the new the configtx.yaml
4. update the system channel with new certs using jq.

Currently i am getting an issue while i try to update the system channel 'testchainid'. The error seen is -

Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'testchainid': error authorizing update: error validating DeltaSet: invalid mod_policy for element [Group] /Channel/Application: mod_policy not set

Sharing the steps performed on the peer cli:

peer channel fetch config config_block.pb -o orderer.org.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA

configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json

# Find the diff between current config and new config, then output a new json file
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"OrdererMSP":.[1]}}}}}' config.json Orderer.json > modified_config.json

# add fabric ca tls certs

jq 'del(.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters[])' modified_config.json > modified_config_1.json

#new ca cert for orderer to update system channel
cert1=$(base64 /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/org.com/orderer/tls-msp/signcerts/cert.pem | sed ':a;N;$!ba;s/\n//g')

#new ca cert for orderer1 to update in system channel
cert2=$(base64 /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/org.com/orderer1/tls-msp/signcerts/cert.pem | sed ':a;N;$!ba;s/\n//g')

#new ca cert for orderer2 to update in system channel
cert3=$(base64 /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/org.com/orderer2/tls-msp/signcerts/cert.pem | sed ':a;N;$!ba;s/\n//g')

#update the new certs on to channel
jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert1'", "host": "orderer.org.com", "port": 7050, "server_tls_cert": "'$cert1'"}] | .channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert2'", "host": "orderer1.org.com", "port": 7050, "server_tls_cert": "'$cert2'"}] | .channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert3'", "host": "orderer2.org.com", "port": 7050, "server_tls_cert": "'$cert3'"}] ' modified_config_1.json > modified_config_2.json

# Converts config.json into config.pb
configtxlator proto_encode --input config.json --type common.Config --output config.pb

# Converts modified_config.pb into modified_config.json
configtxlator proto_encode --input modified_config.json --type common.Config --output modified_config.pb

# Converts modified_config.pb into modified_config.json
configtxlator proto_encode --input modified_config_1.json --type common.Config --output modified_config_1.pb

# Converts modified_config.pb into modified_config.json
configtxlator proto_encode --input modified_config_2.json --type common.Config --output modified_config_2.pb

# Calculates the delta between modified_config.json config.json then output
configtxlator compute_update --channel_id $CHANNEL_NAME --original config.pb --updated modified_config_2.pb --output Orderer_ca_update.pb

configtxlator proto_decode --input Orderer_ca_update.pb --type common.ConfigUpdate | jq . > Orderer_ca_update.json

echo '{"payload":{"header":{"channel_header":{"channel_id":"testchainid", "type":2}},"data":{"config_update":'"$(cat Orderer_ca_update.json)"'}}}' | jq . > Orderer_ca_update_in_envelope.json

configtxlator proto_encode --input Orderer_ca_update_in_envelope.json --type common.Envelope --output Orderer_ca_update_in_envelope.pb

peer channel signconfigtx -f Orderer_ca_update_in_envelope.pb

peer channel update -f Orderer_ca_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.org.com:7050 --tls --cafile $ORDERER_CA

Any help on how to fix the issue would be much appreciated.