You can replace the VMCA root certificate with a third-party CA-signed certificate that includes VMCA in the certificate chain. Going forward, all certificates that VMCA generates include the full chain. You can replace existing certificates with newly generated certificates.
What to read next
Procedure
Replace the Root Certificate (Intermediate CA) The first step in replacing the VMCA certificates with custom certificates is generating a CSR, sending the CSR to be signed. You then add the signed certificate to VMCA as a root certificate.
Replace Machine SSL Certificates (Intermediate CA) After you have received the signed certificate from the CA and made it the VMCA root certificate, you can replace all machine SSL certificates.
Replace Solution User Certificates (Intermediate CA) After you replace the machine SSL certificates, you can replace the solution user certificates.
Replace the VMware Directory Service Certificate in Mixed Mode Environments During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.x. For that case, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.