@Pavel yannara Mirochnitchenko, Thanks for posting in Q&A. In Fact, Microsoft Cloud PKI to issue certificates for Intune-managed devices.
https://video2.skills-academy.com/en-us/mem/intune/protect/microsoft-cloud-pki-overview
Currently, windows server cannot managed by Intune yet. So we can't deploy certificate to windows web server yet.
https://video2.skills-academy.com/en-us/mem/intune/fundamentals/supported-devices-browsers
Meanwhile, For the web server certificate which is used to enables secure communication between a web server and a web browser. The subject name needs to be the web server name or the name you used to publish out. Root CA and Issuing CA certificate is used to validate the certificate you request from the CA is valid. And it can't be used to bind with https.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.