When the VMware Identity Manager connector is installed, a default self-signed SSL server certificate is automatically generated. You can continue to use this self-signed certificate in most scenarios.

With the connector deployed in outbound mode, end users do not access the connector directly, so installing a public Certificate Authority (CA)-signed SSL certificate is not required. For administrator access to the connector, you can either continue to use the default self-signed certificate or use a certificate generated by your internal CA.

However, if you enable the KerberosIdpAdapter on the connector to set up Kerberos authentication for internal users, end users will establish SSL connections to the connector so the connector must have a signed SSL certificate. Use your internal CA to generate the SSL certificate.

If you set up high availability for Kerberos authentication, a load balancer is required in front of the connector instances. In this case, the load balancer as well as all the connector instances must have signed SSL certificates. Use your internal CA to generate the SSL certificates. For the load balancer certificate, use the Workspace IdP Hostname, which is set in the Workspace IdP configuration page, as the Subject DN Common Name. For each connector instance certificate, use the connector host name as the Subject DN Common Name. Alternatively, you can create a single certificate, using the Workspace Idp host name as the Subject DN Common Name, and all the connector host names as well as the Workspace Idp host name as Subject Alternative Names (SANs).