Certificate Management Design for Private Cloud Automation for VMware Cloud Foundation

The VMware Aria Automation and VMware Aria Automation Orchestrator user interfaces and API endpoints use HTTPS connections.

VMware Aria Automation Certificates

To provide secure access to the VMware Aria Automation user interface and API, replace the default self-signed certificates with a certificate signed by a certificate authority.

Table 1. Design Decisions on Certificates for VMware Aria Automation
Decision ID	Design Decision	Design Justification	Design Implication
PCA-VAA-SEC-020	Use a certificate authority signed certificate containing the FQDNs of the VMware Aria Automation cluster nodes and the virtual server FQDN in the SAN attributes, when deploying VMware Aria Automation.	Ensures that all communications to the externally facing VMware Aria Automation browser-based UI and API, and between the components, are encrypted.	Using certificates signed by a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered. You must manage the life cycle of the certificate replacement by using VMware Aria Suite Lifecycle. If multi-tenancy is activated for VMware Aria Automation, the on-boarding of tenants requires a service interruption for all tenants during certificate replacement.
PCA-VAA-SEC-021	Use a SHA-2 or higher algorithm for certificate signing.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2 or higher.

VMware Aria Automation Orchestrator Certificates

The VMware Aria Automation Orchestrator user interface and API endpoint use a secure connection to communicate with VI workload domain vCenter Server instances, database systems, LDAP, and other servers. You can import an SSL certificate from a URL or PEM file to replace the SSL certificates that the embedded VMware Aria Automation Orchestrator instance must trust. For example, you can import Microsoft Active Directory Certificate Services certificate authority root certificate from Certificates > Trust Certificate in the VMware Aria Automation Orchestrator HTML5-based Control Center UI at https://aria_automation_cluster_fqdn/vco-controlcenter.

Table 2. Design Decisions on Trusted Certificates for VMware Aria Automation Orchestrator in VMware Aria Automation
Decision ID	Design Decision	Design Justification	Design Implication
PCA-VAA-SEC-022	Import the certificate authority root certificate to the embedded VMware Aria Automation Orchestrator instance in VMware Aria Automation.	Ensures that the certificate for each VI workload domain vCenter Server instance is trusted by the embedded VMware Aria Automation Orchestrator instance in VMware Aria Automation. Ensures that other endpoints with certificates issued from the same certificate authority, for example, NSX Manager and VMware Aria Operations, are trusted.	If the certificate authority certificate is reissued, you must import an updated certificate to the embedded VMware Aria Automation Orchestrator instance in VMware Aria Automation.