You can make VMCA an Intermediate CA by following the prompts from Certificate Manager utility. After you complete the process, VMCA signs all new certificates with the full chain. If you want, you can use Certificate Manager to replace all existing certificates with new VMCA-signed certificates.
To make VMCA an intermediate CA, you have to run Certificate Manager several times. The workflow gives the complete set of steps for replacing both machine SSL certificates and solution user certificates. It explains what to do in environments with embedded Platform Services Controller or external Platform Services Controller.
To generate a CSR, select Option 1, Replace Machine SSL certificate with Custom Certificate then Option 1.
You receive a signed certificate and a root certificate from the CA.
Combine the VMCA root certificate with the CA root certificate and save the file.
Select Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates. This process replaces all certificates on the local machine.
In a multi-node deployment, you have to replace certificates on each node.
First you replace the machine SSL certificate with the (new) VMCA certificate (Option 3)
Then you replace the solution user certificates with the (new) VMCA certificate (Option 6).