For multiple VMware Identity Manager virtual appliances deployed in a cluster, ensure that the following requirements are met.

Guidelines to Create a Certificate for VMware Identity Manager 3.3.4 and Later

  • Generate a Certificate Signing Request (CSR) and obtain a valid, signed SSL certificate from a certificate authority (CA). The certificate can be either a PEM or PFX file.
  • For the Common Name part of the Subject DN, use the fully qualified domain name (FQDN) that users use to access the VMware Identity Manager service. If the VMware Identity Manager appliance is behind a load balancer, this FQDN name is the load balancer server name.
  • If SSL is not terminated on the load balancer, the SSL certificate used by the service must include Subject Alternative Names (SANs) for each of the FQDNs in the VMware Identity Manager cluster. Including the SAN enables the nodes within the cluster to make requests to each other. Also include a SAN for the FQDN host name that users use to access the VMware Identity Manager service, in addition to using it for the Common Name, because some browsers require it.
Note:

LCM based clusters only support SSL Terminated and don't support SSL Passthrough.

The Attributes to Use When Using Certificates with VMware Identity Manager 3.3.4 and Later

Cluster Type Recommendations and Support
Cluster with Single Tenant Mode
Recommended
  • Wildcard CA certificate that matches the load balancer and nodes domain
Supported
  • Wildcard self-signed certificate that matches the load balancer and nodes domain
  • Self-signed certificate with load balancer and tenant FQDNs host SANs added

Cluster with Multi-Tenancy Enabled
Recommended
  • Wildcard CA certificate that matches the load balancer and nodes domain
Supported
  • Wildcard self-signed certificate that matches the load balancer and nodes domain
  • Self-signed certificate with load balancer, nodes, and tenant FQDNs host SANs added