vIDM SSL Thumbprint Trouble

Posted by

For Role Based Access Control (RBAC) in NSX-T we need to configure integration with VMware Identity Manager.

There’s an excellent VMware blog post that explains in detail how to set up vIDM and how to configure the integration in NSX Manager.

The problem

When setting this up myself I ran into a small problem that stopped me from completing the configuration.

When I tried to add the vIDM configuration in NSX Manager I received an error:

“Invalid VMware Identity Manager thumbprint specified.”. That’s very strange as that is the correct thumbprint. I checked it once more from the vIDM CLI:

openssl x509 -in vidm.rainpole.local_cert.pem -noout -sha256 -fingerprint

It definitely is the same thumbprint. What’s going on here?


Then it hit me that I had replaced the vIDM’s default self-signed SSL certificate with a CA-signed certificate signed as per the vIDM documentation. Could it be that the “vidm.rainpole.local_cert.pem” file was not replaced during that process and in fact still is the default self-signed certificate? I had a closer look at that PEM file:

openssl x509 -in vidm.rainpole.local_cert.pem -text -noout

Ouch! This is indeed the default self-signed certificate. No wonder NSX Manager doesn’t like the thumbprint. It doesn’t correspond to the active vIDM appliance SSL certificate.

The solution

To get the actual certificate fingerprint I ran the following command from my jump host:

openssl s_client -servername vidm.rainpole.local -connect vidm.rainpole.local:443 | openssl x509 -fingerprint -sha256 -noout

And there it was! I pasted the fingerprint into the NSX Manager’s vIDM configuration, hit Save and the thumbprint was accepted:

Lesson learned

Do not log in to the vIDM appliance CLI to get the SSL certificate thumbprint. Instead let openssl connect to the vIDM web server to fetch the thumbprint of the active SSL certificate and you know you’re good.


  1. Thanks for the blog post! unfortunately the

    That syntax (openssl s_client -servername vidm.rainpole.local -connect vidm.rainpole.local:443 | openssl x509 -fingerprint -sha256 -noout) didn’t work from me – this however did:

    openssl s_client -connect | openssl x509 -fingerprint -sha256 -noout



  2. what if our VIDM is behind the balancer? how then to be in this case? because NSX must connect to the balancer address


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.