This article provides steps to add a new CA or certificate group into a Cloud Proxy node for VMware Aria Operations (SaaS) (formerly known as vRealize Operations Cloud). 
The Cloud Proxy certificate is used by for endpoint connection validation.

Considerations:

• If the Cloud Proxy node connects directly to VMware Aria Operations (SaaS) then the VMware Aria Operations (SaaS) root CA of the web certificate should be added into the Cloud Proxy node.
• If the Cloud proxy node connects to VMware Aria Operations (SaaS) via a Network Proxy, then  the endpoint for the Cloud Proxy node is a Network Proxy and the Network Proxy root CA certificate should be added into the Cloud proxy node.
• If the Cloud proxy node connects to VMware Aria Operations (SaaS) via a Load Balancer where the SSL termination is configured, then the endpoint for the Cloud Proxy node is a Load Balancer and the Load Balancer root CA certificate should be added into the Cloud Proxy node.

Note: In cases where a Load Balancer and Network Proxy are both configured, then the Network Proxy should be considered as connection endpoint for the Cloud Proxy node.

The certificate(s) can be added into a Cloud Proxy node by 2 methods:

• Add certificate(s) during Cloud Proxy deployment
• Add certificate(s) to Cloud Proxy after deployment

Follow the appropriate method for your situation.

 

Add certificate(s) during Cloud Proxy deployment

During the Cloud Proxy OVA/OVF deployment, the Customize template menu allows you to paste the certificate content in the Network Proxy Settings > Custom CA field.

Notes:

• The lines below are mandatory and should not be cut from the CA:       

• A Certificate group can be used here instead of a single CA.
• This method is not applicable for new Cloud Proxy deployments when the Cloud Proxy connection endpoint is the VMware Aria Operations (SaaS) cluster.  VMware Aria Operations (SaaS) certificate for new installations is passed via OTK key.

 

Add certificate(s) to Cloud Proxy after deployment

This method should also be used when the VMware Aria Operations (SaaS) web certificate is changed or the Cloud Proxy connection endpoint should be changed to a Network Proxy or a Load Balancer which is used for SSL certificate connection.

1. From the vCenter Server Web interface, perform a guest shut down on the Cloud Proxy VM.
2. From the vCenter Server Web interface, right-click the Cloud Proxy VM and click Configure.
3. Navigate to vApp Options > Properties.
4. Press Add, then set Key class ID to cprc_ca and set Category to Network Proxy Settings.
5. Under the Type tab, Insert the CA content in the Default value field and click Save.

• The lines below are mandatory and should not be cut from the CA:

• To add multiple CAs, repeat steps 4-5 before proceeding to step 6.
• The imported CAs can be edited and deleted from the vApp Options > Properties screen.
• Certificates Group can be imported using this same method, however further management (add, edit or delete a certificate from the group) can be more difficult with only a single property entry.

6. Power on the Cloud Proxy VM.

After the Cloud Proxy startup completes, the certificate(s) will be stored in the Cloud Proxy's certificate store.
For further certificate changes, the imported CAs can be edited and deleted from the vApp Options > Properties screen.