I am trying to renew SSL vpn cert on FTD through FMC. I am following the guideline "Install and Renew Certificates on FTD Managed by FMC". I am doing the PKCS12 Renewal. 

I created the CSR and now received the cert. There are two commands in Open SSL to get the PKCS12 format. I am not sure which one to use. I am also not sure which option to chose from forthe Available cert format. 

In order to only include the CA certificate issued within the PKCS12, use this command:

openssl pkcs12 -export -out ftd.pfx -in ftd.crt -inkey private.key -certfile ca.crt

If the certificate is a part of a chain with a root CA and 1 or more intermediate CAs, this command can be used to add the complete chain in the PKCS12:

openssl pkcs12 -export -out ftd.pfx -in ftd.crt -inkey private.key -chain -CAfile cachain.pem 

These are the formats provided with the new cert. If I go for options 2 (complete chain) , which one of the below cert options I will be using.   

Available formats:
1. as Certificate only, PEM encoded: 

2. as Certificate (w/ issuer after), PEM encoded:

3. as Certificate (w/ chain), PEM encoded:

Issuing CA certificates only:
4. as Root/Intermediate(s) only, PEM encoded:

5. as Intermediate(s)/Root only, PEM encoded:

As a next part of this question, I need to understand where in FMC I need to complete the renewal. There are two places I see in FMC. One is OBJECTS > PKI > CERT ENROLLMENT and the second is DEVICES > CERTIFICATE. WHat to do in each section or just  I can do all in one section.