This article provides a high-level overview of the correct procedure for replacing the SSL certificate for a VMware Identity Manager (vIDM) cluster that is fronted by an NSX-T load balancer.

If the certificate is replaced on the NSX-T load balancer but the trust is not updated in Aria Suite Lifecycle, you may see errors during health checks or other Day 2 operations. A common error returned by Aria Suite Lifecycle is:

LCMVIDM71092

Failed to trust load balancer's certificate. Ensure load balancer has proper root certificate or provide the root certificate chain as retry param 'vidmLBRootCertificateChain' and try again...

VMware Identity Manager 3.3.x

Note on SSL Configuration: This procedure assumes your load balancer is configured for SSL Termination, which is the recommended approach. If your load balancer uses SSL Passthrough, the certificate is served directly from the VMware Identity Manager nodes, and this procedure does not apply.

1. Generate a New Certificate
   Request a new SSL certificate from your Certificate Authority (CA) or generate one within Aria Suite Lifecycle. It must meet the following requirements:
   • The Common Name (CN) must be the FQDN of the load balancer.
   • The Subject Alternative Name (SAN) field must include the FQDNs and IP addresses for all VMware Identity Manager nodes and the load balancer's virtual IP (VIP).
2. Import Certificate to Lifecycle Locker
   If you used an external CA, import the new certificate and its full chain (Root, Intermediate) into the Aria Suite Lifecycle Locker.
3. Add Certificate to NSX-T
   In the NSX-T Manager UI, navigate to System > Certificates and click on Import > Certificates and import the new SSL certificate. (Note: Ensure that you are adding entire certificate chain i.e. Server/Leaf, Imtermediate (if any) and Root certificates)
4. Assign Certificate to the Virtual Server
   Navigate to Networking > Load Balancing > Virtual Servers and Networking > Load Balancing > Pools
   • Find the virtual server for your VMware Identity Manager cluster and choose to Edit Server pools for VIDM appliance and click on SSL Configuration > Configure.
   • In the Server Certificate section, assign the new certificate for both Client and Server SSL.
5. Update Trust in Aria Suite Lifecycle
   Navigate back to the Aria Suite Lifecycle UI. For the VMware Identity Manager environment, trigger the Re-Trust Load Balancer operation to import the new public certificate.
6. Update Trust on Dependent Products
   For any other Aria products that are integrated with VMware Identity Manager (e.g., Aria Automation), trigger the Re-Trust Identity Manager action to ensure they trust the new certificate.