When the VMware Identity Manager service is installed, a default SSL server certificate is generated. You can use this self-signed certificate for testing purposes. However, best practice is to use SSL certificates signed by a public Certificate Authority (CA) for your production environment.

Note: If a load balancer in front of VMware Identity Manager terminates SSL, the SSL certificate is applied to the load balancer.

Prerequisites

  • Generate a Certificate Signing Request (CSR) and obtain a valid, signed SSL certificate from a CA. The certificate can be either a PEM or PFX file.
  • For the Common Name part of the Subject DN, use the fully qualified domain name that users use to access the VMware Identity Manager service. If the VMware Identity Manager appliance is behind a load balancer, this name is the load balancer server name.
  • If SSL is not terminated on the load balancer, the SSL certificate used by the service must include Subject Alternative Names (SANs) for each of the fully qualified domain names in the VMware Identity Manager cluster. Including the SAN enables the nodes within the cluster to make requests to each other. Also include a SAN for the FQDN host name that users use to access the VMware Identity Manager service, in addition to using it for the Common Name, because some browsers require it.

Procedure

  1. In the VMware Identity Manager console, click the Appliance Settings tab.
  2. Click Manage Configuration and enter the admin user password.
  3. Select Install SSL Certificates > Server Certificate.
  4. In the SSL Certificate tab, select Custom Certificate.
  5. To import the certificate file, click Choose File and navigate to the certificate file to import.
    If a PEM file is imported, make sure that the file includes the entire certificate chain in the correct order. Everything between and including the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE---- must be included.
  6. If a PEM file is imported, import the private key. Click Choose File and navigate to the Private Key file . Everything between ----BEGIN RSA PRIVATE KEY and ---END RSA PRIVATE KEY must be included.
    If a PFX file is imported, enter the PFX password.
  7. Click Save.

Example: PEM Certificate Example

Certificate Chain Example
-----BEGIN CERTIFICATE-----

jlQvt9WdR9Vpg3WQT5+C3HU17bUOwvhp/r0+

...

W53+O05j5xsxzDJfWr1lqBlFF/OkIYCPcyK1

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

WdR9Vpg3WQT5+C3HU17bUOwvhp/rjlQvt90+

...

O05j5xsxzDJfWr1lqBlFF/OkIYCPW53+cyK1

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

dR9Vpg3WQTjlQvt9W5+C3HU17bUOwvhp/r0+

...

5j5xsxzDJfWr1lqW53+O0BlFF/OkIYCPcyK1

-----END CERTIFICATE-----
Private Key Example
-----BEGIN RSA PRIVATE KEY-----

jlQvtg3WQT5+C3HU17bU9WdR9VpOwvhp/r0+

...

1lqBlFFW53+O05j5xsxzDJfWr/OkIYCPcyK1

-----END RSA PRIVATE KEY-----