Customers usually needs to protect applications web access like SOAR, Intelligence, ESM CC with their own certificates enrolled by a corporate CA. Usually, when performing such operations, customer are allowed to produce a certificate request for the entity to protect (for example: a TLS certificate that protects SOAR --> https://soar.mycompany.org) and then enroll it with their Certification Authority. The procedure (for ArcSight CDF 2021.1 and also for 2022.1) actually forces the user to create a CSR or to import an **intermediate CA** certificate with the ability to enroll his own certificates. This way CDF can enroll his own certificates, signed by the customer intermediate CA certificate, included the one that will secure the web channel (like SOAR TLS). This has been confirmed by internal tests and Microfocus support. Unfortunately customers will hardly consent to enroll such an intermediate certificate (that is, basically, a sub-ca!) just to manage TLS certificates for CDF applications. This implies both policy and security reasons.
Microfocus should implement a way to simply enroll a TLS certificate with customer's CA and install it on CDF, like it happens for others Microfocus tools like ArcMc, Logger, ESM.