A certificate used with VMware Aria Operations must conform to certain requirements. Using a custom certificate is optional and does not affect VMware Aria Operations features. You can also use wildcard certificates in VMware Aria Operations.

Requirements for Custom Certificates

Custom VMware Aria Operations certificates must meet the following requirements.

  • The certificate file must include the terminal (leaf) server certificate, a private key, and all issuing certificates if the certificate is signed by a chain of other certificates.
  • In the file, the leaf certificate must be first in the order of certificates. After the leaf certificate, the order does not matter.
  • In the file, all certificates and the private key must be in PEM format. VMware Aria Operations does not support certificates in PFX, PKCS12, PKCS7, or other formats.
  • In the file, all certificates and the private key must be PEM-encoded. VMware Aria Operations does not support DER-encoded certificates or private keys.

    PEM-encoding is base-64 ASCII and contains legible BEGIN and END markers, while DER is a binary format. Also, file extension might not match encoding. For example, a generic .cer extension might be used with PEM or DER. To verify encoding format, examine a certificate file using a text editor.

  • The file extension must be .pem.
  • The private key must be generated by the RSA or DSA algorithm.
  • The private key can be encrypted by a pass phrase. The generated certificate can be uploaded using the primary node configuration wizard or the administration interface.
  • The REST API in this VMware Aria Operations release supports private keys that are encrypted by a pass phrase.
  • The VMware Aria Operations certificate must have IPs and Hostnames in the Subject Alternative Name (SAN) extension.

    For example, Subject Alternative Name comprises of the DNS Name: localhost and the IP Address: 127.0.0.1.

  • The VMware Aria Operations Web server on all nodes have the same certificate file, so it must be valid for all nodes. One way to make the certificate valid for multiple addresses is with multiple Subject Alternative Name (SAN) entries.
  • SHA1 certificates create browser compatibility issues. Therefore, ensure that all certificates that are created and being uploaded to VMware Aria Operations are signed using SHA2 or newer.
  • The VMware Aria Operations supports custom security certificates with key length up to 8192 bits. An error is displayed when you try to upload a security certificate generated with a stronger key length beyond 8192 bits.
    Note: Fill the certificate extension fields using the UTF-8 encoding.

vRealize Operations Manager 6.x fails to accept and apply Custom CA Certificate. For more information, see the following KB article 2046591.