Certificate Management Design for VMware Aria Operations for Intelligent Operations Management for VMware Cloud Foundation

Access to the VMware Aria Operations user interface and API requires an SSL connection. By default, VMware Aria Operations uses a self-signed certificate. To provide secure access to the VMware Aria Operations user interface and API, replace the default self-signed certificate with a CA-signed certificate.

Table 1. Design Decisions on Certificates for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-SEC-015	Use a CA-signed certificate containing the analytics and VMware Cloud Proxy appliances in the SAN attributes, when deploying VMware Aria Operations .	Configuring a CA-signed certificate ensures that the communication to the externally facing Web UI and API for VMware Aria Operations , and cross-product, is encrypted.	Using CA-signed certificates from a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered. Each time a node is added the certificate must be replaced to include the new node.
IOM-VAOPS-SEC-016	Use a SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.