It’s very close to the existing PKI ecosystem for TLS: the CA is presented a possession proof for the locally held private key, and mints a signing certificate for it.

There is no singular “root certificate”: there’s a trust root for the CA, a separate root for the transparency log, etc.