I want to build an additional primary ZCM server into an existing, single server, zone.

The issue: Certificate Authority.

I want all the primaries to be CA's, but with their CA role turned off. The reason for this is that IF the first server, which is the zone CA, is destroyed, none of the other servers can become a CA using the same root certificate. This means that they will all 'fail-safe' to using their local cert and CA, thus breaking trust throughout the zone.

As far as I can tell, there's no option to become a CA if it is the second server in the zone nor can I find a process to convert it to a CA after install.

Any thoughts?