Velociraptor clients support two modes of communication:
1. Self signed SSL means the certificate is generated by Velociraptor's internal CA and this is pinned so the clients will refuse to talk to anyone else
2. Non self signed mode requires the certificate to be issued by a proper public CA which chains through the SSL root store to the global root CAs.
Those are the only safe modes of deploying SSL - specifically it is not supported to have a non-velociraptor self signed SSL certificate because the clients can not verify it. If you are trying to serve the Velociraptor clients through a self signed SSL proxy this is not going to work because the clients can not guarantee that the SSL communication is not being intercepted.
You can serve the Velociraptor SSL connections on a separate port (i.e. not go through the security onion server).
Technically you can switch SSL off completely but this is not a recommended setting because then you rely on Velociraptor's built in encryption for transport encryption.
Here is more information about encryption and communications