You can create a root (self-signed) CA or create an intermediate CA instead and sign its certificate by any external trusted CA. If you want to create an intermediate CA (in other words, sign it by external CA), you need to create a CA and then follow the steps shown in the diagram below.