vCenter Single Sign-On provides a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens. You can manually refresh the existing Security Token Service certificate when it expires or changes.

About this task

STS certificates expire or change periodically and must be updated or refreshed. In some environments, your system administrator might implement automatic updates of the certificate. Otherwise, you can update the certificate manually.


The vCenter Certificate Automation Tool can only replace the SSL certificates. The tool cannot be used to replace the STS certificates.


  1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

    Users with vCenter Single Sign-On administrator privileges are in the CAAdmins group.

  2. Browse to Administration > Single Sign-On > Configuration.
  3. Select the Certificates tab, then the STS Signing subtab, and click Add STS Signing Certificate.
  4. Click Browse to browse to the key store JKS file that contains the new certificate and click Open.

    If the key store file is valid, the STS certificate table is populated with the certificate information.

  5. Click OK.


The new certificate information appears on the STS Signing tab.

What to do next

Restart the vSphere Web Client service.