Understanding of the main SSL functions can help you configure the Log Insight Agents properly.
The vRealize Log Insight Agent stores certificates and uses them to verify the identity of the server during all but the first connection to a particular server. If the server identity cannot be confirmed, the vRealize Log Insight Agent rejects connection with server and writes an appropriate error message to the log. Certificates received by the Agent are stored in cert folder.
For Windows go to C:\ProgramData\VMware\Log Insight Agent\cert.
For Linux go to /var/lib/loginsight-agent/cert.
When the vRealize Log Insight Agent establishes secure connection with the vRealize Log Insight Server, the Agent checks the certificate received from the vRealize Log Insight Server for validity. The vRealize Log Insight Agent uses system-trusted root certificates.
The Log Insight Linux Agent loads trusted certificates from /etc/pki/tls/certs/ca-bundle.crt or /etc/ssl/certs/ca-certificates.crt.
The Log Insight Windows Agent uses system root certificates.
If the vRealize Log Insight Agent has a locally stored self-signed certificate and receives a different valid self-signed certificate with the same public key, then the agent accepts the new certificate. This can happen when a self-signed certificate is regenerated using the same private key but with different details like new expiration date. Otherwise, connection is rejected.
If the vRealize Log Insight Agent has a locally stored self-signed certificate and receives valid CA-signed certificate, the vRealize Log Insight Agent silently replaces new accepted certificate.
If the vRealize Log Insight Agent receives self-signed certificate after having a CA-signed certificate, the Log Insight Agent rejects it. The vRealize Log Insight Agent accepts self-signed certificate received from vRealize Log Insight Server only when it connects to the server for the first time.
If the vRealize Log Insight Agent has a locally stored CA-signed certificate and receives a valid certificate signed by another trusted CA, the Agent rejects it. You can modify the configuration options of the vRealize Log Insight Agent to accept the new certificate. See Configure the vRealize Log Insight Agent SSL Parameters.
vRealize Log Insight Agents communicate over TLSv.1.2. SSLv.3/TLSv.1.0 is disabled to meet security guidelines.