By default, VMware Aria Operations for Logs installs a self-signed SSL certificate on the virtual appliance.

The self-signed certificate generates security warnings when you connect to the VMware Aria Operations for Logs web user interface. If you do not want to use a self-signed security certificate, you can install a custom SSL certificate. The only feature requiring a custom SSL certificate is Log Forwarding through SSL. If you have a Cluster setup with ILB enabled, see Activate the Integrated Load Balancer for the specific requirements of a custom SSL certificate.

Note: The VMware Aria Operations for Logs Web user interface and the ingestion protocol cfapi use the same certificate for authentication.

Prerequisites

  • Verify that your custom SSL certificate meets the following requirements.
    • The certificate allows the SSL Client key usage extension.
    • The CommonName contains a wildcard or exact match for the primary node or FQDN of the virtual IP address. Optionally, all other IP addresses and FQDNs are listed as subjectAltName.
    • The certificate file contains both a valid private key and a valid certificate chain.
    • The private key is generated by the RSA or the DSA algorithm.
    • The private key is not encrypted by a pass phrase.
    • If the certificate is signed by a chain of other certificates, all other certificates are included in the certificate file that you plan to import.
    • The private key and all the certificates that are included in the certificate file are PEM-encoded. VMware Aria Operations for Logs does not support DER-encoded certificates and private keys.
    • The private key and all the certificates that are included in the certificate file are in the PEM format. VMware Aria Operations for Logs does not support certificates in the PFX, PKCS12, PKCS7, or other formats.
  • Verify that you concatenate the entire body of each certificate into a single text file in the following order.
    1. The Private Key - your_domain_name.key
    2. The Primary Certificate - your_domain_name.crt
    3. The Intermediate Certificate - DigiCertCA.crt
    4. The Root Certificate - TrustedRoot.crt
  • Verify that you include the beginning and ending tags of each certificate in the following format.
    -----BEGIN PRIVATE KEY----- 
    (Your Private Key: your_domain_name.key) 
    -----END PRIVATE KEY----- 
    -----BEGIN CERTIFICATE----- 
    (Your Primary SSL certificate: your_domain_name.crt) 
    -----END CERTIFICATE----- 
    -----BEGIN CERTIFICATE----- 
    (Your Intermediate certificate: DigiCertCA.crt) 
    -----END CERTIFICATE----- 
    -----BEGIN CERTIFICATE----- 
    (Your Root certificate: TrustedRoot.crt) 
    -----END CERTIFICATE-----
  • Verify that you are logged in to the VMware Aria Operations for Logs web user interface as a Super Admin user, or a user associated with a role that has the relevant permissions. See Create and Modify Roles for more information. The URL format of the web user interface is https://operations-for-logs-host, where operations-for-logs-host is the IP address or host name of the VMware Aria Operations for Logs virtual appliance.