This article provides steps to add a new certificate into a VMware Aria Operations (formerly known as vRealize Operations) or VMware Aria Operations (SaaS) Cloud Proxy. 
The Cloud Proxy certificate is used for endpoint connection validation.

Considerations:

• (On-prem only) If the Cloud Proxy connects directly to VMware Aria Operations then the VMware Aria Operations root CA of the web certificate should be added into the Cloud Proxy.
• If the Cloud Proxy connects to VMware Aria Operations via a Network Proxy, then the endpoint for the Cloud Proxy is a Network Proxy and the Network Proxy root CA certificate should be added into the Cloud Proxy.
• If the Cloud Proxy connects to VMware Aria Operations via a Load Balancer where the SSL termination is configured, then the endpoint for the Cloud Proxy is a Load Balancer and the Load Balancer root CA certificate should be added into the Cloud Proxy.
• (SaaS only) In cases where SSL termination is not configured and a network proxy is not in-place, the certificate will not be CA issued and instead a self-signed certificate will be used.

Note: In cases where a Load Balancer and Network Proxy are both configured, then the Network Proxy should be considered as connection endpoint for the Cloud Proxy.

VMware vRealize Operations 8.4.x
VMware vRealize Operations 8.5.x
VMware vRealize Operations 8.10.x
VMware Aria Operations 8.12.x
VMware vRealize Operations 8.6.x

The Root CA certificate can be added into a Cloud Proxy by 2 methods:

• Add root CA certificate during Cloud Proxy deployment
• Add root CA certificate to Cloud Proxy after deployment

Follow the appropriate method for your situation.

 

Add root CA certificate during Cloud Proxy deployment

During the Cloud Proxy OVA/OVF deployment, the Customize template menu allows you to paste the certificate content in the Network Proxy Settings > Custom CA field.

Note: Do not include the following lines from the certificate authority:       
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Example:


Note: This method is not applicable for new Cloud Proxy deployments when the Cloud Proxy connection endpoint is the VMware Aria  Operations cluster.  VMware Aria Operations certificate for new installations is passed via OTK key.

 

Add root CA certificate to Cloud Proxy after deployment

This method should also be used when the VMware Aria Operations web certificate is changed or the Cloud Proxy connection endpoint should be changed to a Network Proxy or a Load Balancer which us used for SSL certificate connection.
Note: After the VMware Aria Operations 8.6.x - 8.10.x web certificate is changed, immediately update the Cloud Proxy certificate as well to resume connectivity.  Starting in VMware Aria Operations 8.12 and onwards, the Cloud Proxy certificate will automatically get updated from the VMware Aria Operations Cluster's web certificate.

1. From the vCenter Server Web interface, perform a guest shut down on the Cloud Proxy VM.
2. From the vCenter Server Web interface select the Cloud Proxy VM and click the Configure tab on the right.
3. Navigate to vApp Options > Properties.
4. Under custom_ca value, press Set Value and paste the certificate content provided by your CA.

5. Power on the Cloud Proxy VM.

After the Cloud Proxy startup completes, the certificate will be stored in the Cloud Proxy's certificate store.  For further certificate changes, the custom_ca value should be replaced with new root CA.