When the VMware Identity Manager service is installed, a default SSL server certificate is generated. You can use this self-signed certificate for testing purposes. However, VMware strongly recommends that you use SSL certificates signed by a public Certificate Authority (CA) for your production environment.
Note: If a load balancer in front of
VMware Identity Manager terminates SSL, the SSL certificate is applied to the load balancer.
Prerequisites
- Generate a Certificate Signing Request (CSR) and obtain a valid, signed SSL certificate from a CA. The certificate must be in the PEM format.
- For the Common Name part of the Subject DN, use the fully-qualified domain name that users use to access the VMware Identity Manager service. If the VMware Identity Manager appliance is behind a load balancer, this is the load balancer server name.
- If SSL is not terminated on the load balancer, the SSL certificate used by the service must include Subject Alternative Names (SANs) for each of the fully qualified domain names in the VMware Identity Manager cluster so that nodes within the cluster can make requests to each other. Also include a SAN for the FQDN host name that users use to access the VMware Identity Manager service, in addition to using it for the Common Name, because some browsers require it.
Procedure
Example: Certificate Examples
| Certificate Chain Example |
|---|
| -----BEGIN CERTIFICATE----- |
| jlQvt9WdR9Vpg3WQT5+C3HU17bUOwvhp/r0+ ... W53+O05j5xsxzDJfWr1lqBlFF/OkIYCPcyK1 |
| -----END CERTIFICATE----- |
| -----BEGIN CERTIFICATE----- |
| WdR9Vpg3WQT5+C3HU17bUOwvhp/rjlQvt90+ ... O05j5xsxzDJfWr1lqBlFF/OkIYCPW53+cyK1 |
| -----END CERTIFICATE----- |
| -----BEGIN CERTIFICATE----- |
| dR9Vpg3WQTjlQvt9W5+C3HU17bUOwvhp/r0+ ... 5j5xsxzDJfWr1lqW53+O0BlFF/OkIYCPcyK1 |
| -----END CERTIFICATE----- |
| Private Key Example |
|---|
| -----BEGIN RSA PRIVATE KEY----- |
| jlQvtg3WQT5+C3HU17bU9WdR9VpOwvhp/r0+ ... 1lqBlFFW53+O05j5xsxzDJfWr/OkIYCPcyK1 |
| -----END RSA PRIVATE KEY----- |
