This article intends to give a high-level overview of the process of replacing certificate on a vIDM cluster.

Errors are shown about the system failing to start up or not accepting the certificate, for example:

LCMVIDM71092
Failed to trust load balancer's certificate. Ensure load balancer has proper root certificate or provide the root certificate chain as retry param 'vidmLBRootCertificateChain' and try again.
Unable to fetch root/intermediate CA certificates from the certificate chain provided. Failed to trust vIDM load balancer certificate. Retry by providing the root or intermediate CA certificate chain.

VMware Identity Manager 3.3.x

Here is a set of steps for changing cert for a cluster where the LB is provided by NSX-T.

(If your load balancer uses SSL passthrough setting, you should not need to replace any cert in the LB. In this case it comes directly from the nodes)

1. First, create the new certificate for the vIDM cluster, in Aria Lifecycle or your CA
   1. Give the cluster FQDN (Load balancer) for the Common Name, CN
   2. In the Subject Alternative names, give all FQDNS and IP addresses of the nodes and the LB address
   3. Fill in the other details with sensible, correct values and avoid using special characters
2. If you created it in an external CA, then import it into your LCM Locker.
3. In NSX, come to System > Certificates and add the certificate
4. Now come to Load Balancer > Virtual Servers
5. Find the VS for vIDM, click the 3 dots and Edit
6. Configure SSL and set the new cert for both Client and Server
7. Back in LCM, select the expired certificate >Replace and choose the vIDM environment
8. On vIDM environment, Re-Trust Load Balancer
9. On Aria products dependent on vIDM, choose Re-Trust Identity Manager