According to: https://blogs.technet.microsoft.com/jeffbutte/2018/04/05/linux-certificate-enrollment-and-automated-renewal-using-ndes-v2/
There are two problems:
1) Certmonger does not appear to have a provision for downloading a CA chain.
2) Certmonger has issues with multi-tiered Windows based CA hierarchies.
Is this still true?
certmonger can download the chain but yes, it doesn't automatically add it to the system-wide trust list.
It works fine with subordinate CA's. A user who contributed to the SCEP support last year had such a setup and it worked fine.
to comment on this ticket.