@saravm2010,
Recommended Certificate Handling for vRA & vIDM Load Balancers
Preferred Approach: SSL Termination at the Load Balancer
VMware recommends SSL termination at the load balancer for both vRA and vIDM in clustered setups[43dcd9a7-70db-4a1f-b0ae-981daa162054](https://docs.vmware.com/en/vRealize-Automation/8.10/Administering/GUID-46BD5B3D-4FDA-447B-9510-FCB881D33162.html?hWord=N4IghgNiBcIG4CcwgL5A&citationMarker=43dcd9a7-70db-4a1f-b0ae-981daa162054 "1"). Here's why:
- Simplifies certificate management: One cert on the LB covers all incoming traffic.
- Improves performance: Offloads SSL processing from backend nodes.
- Enables advanced LB features: Like content switching, health checks, and easier troubleshooting.
Certificate Requirements
Load Balancer Certs:
In Should include FQDNs of the LB and all tenants (default + custom).
- Must list IP addresses of the LB in the SAN field.
- Node-Level Certs (Optional but recommended for internal trust):
- vRA and vIDM nodes can still have their own certs for node-to-node communication.
- Useful if you enable SSL re-encryption (termination + re-encryption to backend).
When to Use SSL Passthrough Instead
Use SSL passthrough only if:
- You need end-to-end encryption without LB termination.
- You're using client certificate authentication that must reach the backend.
- You want to avoid managing certs on the LB and prefer certs on each node (though this adds complexity).
------------------------------
If you find this answer right, please 'Recommend' this post.
Thank you!
Regards,
Shen
------------------------------