We are in the process of setting up Vsphere 6.0 VCenter using the appliance.  One of the things I want to do is integrate the certificate functions in VCSA with our Microsoft CA structure by making the VCenter platform services controller a sub CA in our structure.

I've found several sources showing how to do this, however, all of the documentation I've seen on setting up the VCSA a as subCA involve using the certificate templates.   

The issue for us is that our root CA is a standalone root, not an enterprise one, so it can't use templates.

From what I've found out, it looks like I might be able to create a policy.inf file, and then use the command line "certreq" command on the root CA and specify the policy.  The problem is that I'm not finding much on how to set up the policy.inf file

Our certificate structure does have two enterprise sub CA's.  These are the ones that we use to issue certificates to workstations, servers, etc..  Can/should I just make the VCSA as a subCA under one of the existing subCA's?  I didn't know if that was a good idea (or even possible) to have a sub CA under another sub CA.

Any suggestions would be appreciated.