For detailed configuration steps, please refer to:Make VMCA an Intermediate Certificate Authority Using the Certificate Manager

This article clarifies the supportability of using VMCA as an intermediate CA within a VMware Cloud Foundation (VCF) infrastructure

VMware Cloud Foundation (VCF) does not support configuring the VMCA as an intermediate CA. Implementing this configuration disrupts the certificate management workflow for both Greenfield deployments and Brownfield Import operations (vSphere-to-VCF conversions).

If a vCenter Server has already been configured as an intermediate CA, the following procedure must be used to revert it to the default configuration.

Note: This process will reset all existing custom certificates installed on the vCenter Server where the procedure is applied.

Resetting the certificates to default:

• Take powered-off snapshots of all the vCenters in the VCF infra. If the infrastructure has a single vCenter or isolated VI domains, then take a snapshot without memory in the powered-on state. 
• To reset the certificate, follow the techdocs, Reset All Certificates Using the Certificate Manager. This will regenerate all the certificates of the vCenter 

Re-trusting the vCenter on the SDDC manager. 

Once the vCenter is reset to defaults from the previous steps, the new root CA of the vCenter needs to be added to the SDDC manager's trust store 

• Follow the steps from the KB article: How to import the vCenter root certificate into the SDDC manager TrustStore 

Note: To replace the vCenter with Custom certificates, again refer to: Managing Certificates in VMware Cloud Foundation 

For Brownfield import

• For brownfield import scenarios, simply re-execute the import operations from the sddc manager command line, refer to the techdocs Convert a vSphere Environment to a Management Domain or Import a vSphere Environment as a VI Workload Domain in VMware Cloud Foundation.