You can replace the VMCA root certificate with a third-party CA-signed certificate that includes VMCA in the certificate chain. Going forward, all certificates that VMCA generates include the full chain. You can replace existing certificates with newly generated certificates.
What to read next
Procedure
Replace the Root Certificate (Intermediate CA) Replace Machine SSL Certificates (Intermediate CA) Replace Solution User Certificates (Intermediate CA) Replace the VMware Directory Service Certificate in Mixed Mode Environments vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.x. For that case, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
