Security scans identify self-signed certificates on internal VCF Operations service ports. This typically involves internal communication between nodes or services that cannot be replaced with custom certificates. Symptoms include security flags on the following ports:

• Gemfire: 10000-10010, 20000-20010

• Gemfire Locator: 6061

• Postgres: 5432, 5433

VCF Operations 9.x

VCF Operations utilizes hardcoded self-signed certificates for internal service-to-service and node-to-node communication; these certificates currently cannot be replaced with custom CA-signed certificates.

These do not clear because Qualys only trusts publicly issued certificate authorities. Since this service uses an internal/vendor‑issued certificate, Qualys will continue to flag it by design, even though the certificate is valid and up to date internally. Engage with Qualsys for further help.

Certificate overview for VMware Aria Operations