In the Hybrid approach, VCMA works independently of the Enterprise PKI. The Machine SSL certificate of each management node (VCSA/PSC) is replaced with a Web Certificate from the Enterprise or Public PKI.

Since VMCA is not configured as a subordinate of the Enterprise CA, it cannot issue CA chain certificates. It can only be used to issue/manage the certificates of solution users and ESXi hosts. 

If you check the certificate for the web client connection, it will be marked as secure. The certification path will show you that the certificate is a child of the root CA: