This article provides the complete process for a clean certificate replacement task for VMware Identity Manager.

• Aria Suite Lifecycle Manager Locker > Certificates shows a yellow exclamation point in a triangle. Upon inspecting the current certificate, the expiration date is within four weeks. If this is the case, please schedule a maintenance window to run through this process as soon as possible.
• Triggering VIDM sync in LCM results in error LCMVIDM71059, with a full error snippet reporting:

  Exception message: vIDM GET Association Ruleset failed with status code : 401. API Response : Unauthorized

• Signing into Workspace ONE with a VIDM user or other Broadcom products using VIDM authentication results in an error similar to the screenshot below:
  
  
  
• Signing into Workspace ONE with a system domain admin user may show the error: An Unexpected error has occurred. Please try again later.
• VIDM health reports an error connecting to the identity manager FQDN that does not resolve.
• The UI fails to load and the URL redirects to https://<vIDM_LB_FQDN>/hc/error, potentially displaying an error such as: Error: You do not have permission to access this page: /hc/3104/authenticate/. However, when accessing the VIDM nodes directly using their individual URLs, the UI loads correctly and the config-state.json file is not corrupted. This issue only occurs when accessing the VIDM UI through the load balancer's FQDN.
  
  
• Error pkix path validation failed: java.security.cert.certpathvalidationexception: could not validate certificate: certificate expired occurs while accessing VMware Identity Manager.

VMware Identity Manager 3.3.x
Aria Suite Lifecycle Manager 8.x
Aria Automation 8.x

VMware Identity Manager Certificate Replacement Stages

Note: This is the ideal process to be followed given that the certificate replacement is being conducted prior to certificate expiry.

Stage 1: Certificate Creation

1. Self-Signed Certificate
   1. Create certificate from Aria Suite Lifecycle locker with correct details and SANs.
   2. Download the .pem.

   Structure of .pem downloaded:

   --server certificate ---
   --root ca cert--
   --private key--

2. CA-Signed Certificate
   1. Generate a CSR from Aria Suite Lifecycle and download it.
   2. Have it submitted and signed by the CA.
   3. Upload it into the Aria Suite Lifecycle Locker.
3. Custom Certificate
   1. Upload the custom signed certificate into Aria Suite Lifecycle for consumption.

Stage 2: Update Load Balancer Certificates

• Applicable for clustered VMware Identity Manager set up. Proceed to next stage if it is a single node set up.
• This is a critical requirement as ideally the SSL configuration for Load balancing virtual server would be set to SSL terminated for VMware Identity Manager.
• The steps below outline the procedure for certificate replacement for virtual servers configured on VMware NSX. Parallel steps can be followed if other support load balancers are used in the set up instead of NSX.

1. Preparing the Certificates for NSX Upload

   Partition the .pem downloaded from Aria Suite Lifecycle into two files:

   • root.cer: --root ca cert--
   • Server certificate with key: --server cert--- and --private key--
2. Import CA Certificate into NSX Manager
   • Navigate to Certificates > Import > Import CA Certificate.
   • Load the root.cer and ensure the check box for service certificate is checked, as this is for Load balancing for a service, and import.
3. Import Server Certificate with Key into NSX Manager
   • Navigate to Certificates > Import > Import Certificate.
   • Load the --server cert-- in the server certificate section.
   • Load the --private key-- in the private key section.
   Important: In some cases, it is not required to import the Server and Root certs separately. Rather, the entire certificate chain (Server/Leaf, Intermediate, and Root) can be added once from the System > Certificate > Import > Certificate page. Refer to How to replace a vIDM cluster load balancer certificate in NSX-T and update Aria Suite Lifecycle for steps.
4. Apply the Updated Certificates on the NSX Virtual Server
   • Navigate to Networking > Load balancing > Virtual Servers and Networking > Load Balancing > Monitor. Select the virtual server for VMware Identity Manager.
   • Click the ellipsis (three dots) and select Edit.
   • Select SSL Configuration and click Edit.
   • For Server Certificate, select the new certificate uploaded.
   • Click Advanced Configurations.
   • Click the drop-down for Trusted Root CA Certificate and select the new Aria Suite Lifecycle root ca certificate.
   • Save the configurations. The VMware Identity Manager Load balancer virtual-IP should now show updated certificates.
5. Re-trust with Load Balancer
   • Trigger a re-trust with load balancer for VMware Identity Manager from Aria Suite Lifecycle.
   • This makes the nodes aware of the Load balancer certificate.
   • Note: If the certificate is already expired, follow steps from Stage 3 - B first, then re-trust with the Load Balancer.

Stage 3: Replace Certificates on VMware Identity Manager Nodes

1. Certificate Replacement Prior to Expiry
   • If certificates are being replaced from Aria Suite Lifecycle before expiry, select Replace Certificates.
   • Review current certificates and select the newly generated certificates from the locker.
   • Click Submit. This replaces the certificates on all nodes in a clustered set up.
2. Certificate Replacement Post Expiry

   If certificates are expired, Aria Suite Lifecycle cannot connect to the nodes.

   1. Log in to the connector admin pages: https://vIDM_node_FQDN:8443/cfg/login as the admin user. (Note: If the page is blank or redirects to database selector, navigate to https://vIDM_node_FQDN:8443/cfg/ssl).
   2. Select Custom SSL Certificates.
   3. In the SSL Certificate Chain, paste the entire chain from the .pem file:

      --server certificate ---
      --root ca cert--

   4. In the Private Key section, paste the --private key--.
   5. Click Apply. Repeat for all nodes in a cluster.
   6. Log in to Aria Suite Lifecycle and trigger an Inventory Sync for VMware Identity Manager, followed by a Re-trust with Load Balancer for clustered setups.

Stage 4: Update Aria Automation to Trust VMware Identity Manager

This updates the Aria Automation appliances with the new Identity Manager certificates and rebuilds the services.

1. Trigger Inventory Sync for Aria Automation.
2. Trigger Re-trust with VMware Identity Manager.

Note: If you cannot sign into Workspace ONE using the VIDM LB with a VIDM user, please follow the steps in Troubleshooting LCMVIDM71077: Unable to trust the load balancer certificate assigned to VIDM.