This article provides steps to add a new CA or certificate group into a Cloud Proxy node for VMware Aria Operations (formerly known as vRealize Operations)

• (On-prem only) If the Cloud Proxy connects directly to VMware Aria Operations then the VMware Aria Operations Root CA of the web certificate should be added into the Cloud Proxy.
• If the Cloud proxy node connects to VMware Aria Operations via a Network Proxy, which has SSL termination configured, then  the endpoint for the Cloud Proxy node is a Network Proxy and the Network Proxy Root CA certificate should be added into the Cloud proxy node.
• If the Cloud proxy node connects to VMware Aria Operations via a Load Balancer where the SSL termination is configured, then the endpoint for the Cloud Proxy node is a Load Balancer and the Load Balancer Root CA certificate should be added into the Cloud Proxy node.

The Root CA certificate can be added into a Cloud Proxy by 2 methods: 

1. Add Root CA certificate during Cloud Proxy deployment
2. Add/Change Root CA certificate to Cloud Proxy after deployment

Follow the appropriate method for your situation:
 

1. Add root CA certificate during Cloud Proxy deployment

Note: Please skip following steps for the new Cloud Proxy deployments if the Cloud Proxy connection endpoint is the VMware Aria Operations cluster. VMware Aria Operations cluster certificate for new installations is passed via OTK key.

During the Cloud Proxy OVA/OVF deployment Customize template menu allows you to paste the certificate content in the Network Proxy Settings >> Custom CA field.

Note:
Starting from 8.10 (On-Prem) and for SaaS Include the following lines when you copy the Root CA: 
                 -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----

Example:


Note: Certificate group also can be used here instead of a single CA

2. Add root CA certificate to Cloud Proxy after deployment

This method should also be used when the VMware Aria Operations web certificate is changed or the Cloud Proxy connection endpoint should be changed to a Network Proxy or a Load Balancer which is used SSL certificate for connection.

Note: (On-prem only) After the VMware Aria Operations 8.6.x - 8.10.x web certificate is changed, immediately update the Cloud Proxy certificate as well to resume connectivity.  Starting in VMware Aria Operations 8.12 and onwards, the Cloud Proxy certificate will automatically get updated from the VMware Aria Operations Cluster's web certificate.

Note:
Starting from 8.10 (On-Prem) and for SaaS Include the following lines when you copy the Root CA: 
                 -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----

Example:


Note:
To add multiple CAs, repeat steps 5-6 before proceeding to step 7, if we adding just one CA proceed directly to step 7.
The imported CAs can be edited and deleted from the vApp Options >> Properties screen.
Certificates Group can be imported using this same method, however further management (add, edit or delete a certificate from the group) can be more difficult with only a single property entry.
 

1. From the vCenter Server Web interface, perform a guest shut down on the Cloud Proxy VM.
2. From the vCenter Server Web interface select the Cloud Proxy VM and click the Configure tab on the right.
3. Navigate to vApp Options >> Properties.
4. Under custom_ca value, press Set Value and paste the certificate content provided by your CA.
5. To add more CA certificates press Add, then set Key class ID to cprc_ca and set Category to Network Proxy Settings.
6. Under the Type tab, Insert the CA content in the Default value field and click Save.
7. Power on the Cloud Proxy VM.

After the Cloud Proxy startup completes, the certificate(s) will be stored in the Cloud Proxy's certificate store.
For further certificate changes, the imported CAs can be edited, deleted and replaced with new root CA from the vApp Options >> Properties screen.