You can make VMCA an Intermediate CA by following the prompts from Certificate Manager utility. After you complete the process, VMCA signs all new certificates with the full chain. If you want, you can use Certificate Manager to replace all existing certificates with new VMCA-signed certificates.

VMware does not recommend operating VMCA as a subordinate (or intermediate) certificate authority. If you choose this option, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk. For more information about managing certificates within a vSphere environment, see the blog post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at

To make VMCA an intermediate CA, you have to run Certificate Manager several times. The workflow gives the complete set of steps for replacing machine SSL certificates.
  1. To generate a CSR, select Option 1, Replace Machine SSL certificate with Custom Certificate then Option 1.

    You receive a signed certificate and a root certificate from the CA.

  2. Combine the VMCA root certificate with the CA root certificate and save the file.
  3. Select Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates. This process replaces all certificates on the local machine.