A certificate used with vRealize Operations must conform to certain requirements. Using a custom certificate is optional and does not affect vRealize Operations features. You can also use wildcard certificates in vRealize Operations.
Requirements for Custom Certificates
Custom vRealize Operations certificates must meet the following requirements.
- The certificate file must include the terminal (leaf) server certificate, a private key, and all issuing certificates if the certificate is signed by a chain of other certificates.
- In the file, the leaf certificate must be first in the order of certificates. After the leaf certificate, the order does not matter.
- In the file, all certificates and the private key must be in PEM format. vRealize Operations does not support certificates in PFX, PKCS12, PKCS7, or other formats.
- In the file, all certificates and the private key must be PEM-encoded. vRealize Operations does not support DER-encoded certificates or private keys.
PEM-encoding is base-64 ASCII and contains legible BEGIN and END markers, while DER is a binary format. Also, file extension might not match encoding. For example, a generic .cer extension might be used with PEM or DER. To verify encoding format, examine a certificate file using a text editor.
- The file extension must be .pem.
- The private key must be generated by the RSA or DSA algorithm.
- The private key can be encrypted by a pass phrase. The generated certificate can be uploaded using the primary node configuration wizard or the administration interface.
- The REST API in this vRealize Operations release supports private keys that are encrypted by a pass phrase.
- The vRealize Operations Web server on all nodes have the same certificate file, so it must be valid for all nodes. One way to make the certificate valid for multiple addresses is with multiple Subject Alternative Name (SAN) entries.
- SHA1 certificates create browser compatibility issues. Therefore, ensure that all certificates that are created and being uploaded to vRealize Operations are signed using SHA2 or newer.
- The vRealize Operations supports custom security certificates with key length up to 8192 bits. An error is displayed when you try to upload a security certificate generated with a stronger key length beyond 8192 bits.
Note: Fill the certificate extension fields using the UTF-8 encoding.
For more information, see the following KB articles: