Certificates on Ops Manager

Page last updated:

This topic describes the sources and uses for certificates to secure both internal and external networking calls in Ops Manager.

Certificate Sources

Certificates in Ops Manager originate from these sources:

Enterprise Root CA

An enterprise root CA is able to grant itself a certificate and create subordinate CAs. Domains require an enterprise root CA to allow clients to request certificates.

Generating certificates against a root CA is a good implementation for systems that are static and do not need highly available certificate creation.


You can use CredHub as a source for certificates in Ops Manager. These certificates can either be self-signed or signed by an imported trusted CA. Certificates are self-signed by default.

Use CredHub for:

  • High availability
  • Dynamic generation of certificates
  • More secure communication between platform components, apps, and services

VMware recommends using CredHub for high availability and good security posture in Ops Manager.

For more information, see CredHub.