Certificate Management for Intelligent Network Visibility for VMware Cloud Foundation

The security of the environment depends on the validity and trust of the management components certificates. If the certificates are approaching expiration, expired, compromised, or certificate attributes require changes, regenerate and replace the certificates.

Table 1. Design Decisions on Certificate Management for Intelligent Network Visibility
Decision ID	Design Decision	Design Justification	Design Implication
INV-VAON-SEC-011	Use a CA-Signed certificate containing the fully qualified domain names (FQDNs) of each VMware Aria Operations for Networks platform and collector node in the SAN attributes, when deploying VMware Aria Operations for Networks	Configuring a CA-Signed certificate ensures that the communication to the externally facing Web UI and API for VMware Aria Operations for Networks is encrypted.	Using CA-signed certificates from a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered. Each time a node is added the certificate must be replaced to include the fully qualified domain name of the additional node.
INV-VAON-SEC-012	Use a SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.