There have been some enquiries on this topic. However, some are very old, while others remain unanswered. My research on the subject did not yield much information on the internet. AI also provides different instructions each time 
Does univention have official instructions on how to convert the self-signed CA into an intermediate CA?
I would also like to know how to equip the next UCS AD servers with a valid CA afterwards and how to adjust any LDAPS configurations.
I have also seen that services use this CA-certificate for their own encryption (apache / postfix…). Should this be the case, or should I generate my own certificate with a shorter validity period for this purpose?
Can anyone help?