If you want to replace the default vCenter Single Sign-On Security Token Service (STS) signing certificate, you have to generate a new certificate and add it to the Java key store. This procedure explains the steps on an embedded deployment appliance or an external Platform Services Controller appliance.

About this task

Note:

This certificate is valid for ten years and is not an external-facing certificate. Do not replace this certificate unless your company's security policy requires it.

See Generate a New STS Signing Certificate on a vCenter Windows Installation if you are running a Platform Services Controller Windows installation.

Procedure

  1. Create a top-level directory to hold the new certificate and verify the location of the directory.
    mkdir newsts
    cd newsts
    pwd 
    #resulting output: /root/newst
  2. Copy the certool.cfg file into the new directory.
    cp /usr/lib/vmware-vmca/share/config/certool.cfg /root/newsts
    
  3. Open your copy of the certool.cfg file and edit it to use the local Platform Services Controller IP address and hostname.

    The country is required and has to be two characters, as shown in the following example.

    #
    # Template file for a CSR request
    #
    
    # Country is needed and has to be 2 characters
    Country = US
    Name = STS
    Organization = ExampleInc
    OrgUnit = ExampleInc Dev
    State = Indiana
    Locality = Indianapolis
    IPAddress = 10.0.1.32
    Email = chen@exampleinc.com
    Hostname = homecenter.exampleinc.local
  4. Generate the key.
    /usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/root/newsts/sts.key --pubkey=/root/newsts/sts.pub
  5. Generate the certificate
    /usr/lib/vmware-vmca/bin/certool --gencert --cert=/root/newsts/newsts.cer --privkey=/root/newsts/sts.key --config=/root/newsts/certool.cfg
    
  6. Convert the certificate to PK12 format.
    openssl pkcs12 -export -in /root/newsts/newsts.cer -inkey /root/newsts/sts.key -certfile /etc/vmware-sso/keys/ssoserverRoot.crt -name "newstssigning" -passout pass:changeme -out newsts.p12
  7. Add the certificate to the Java key store (JKS).
    /usr/java/jre-vmware/bin/keytool -v -importkeystore -srckeystore newsts.p12 -srcstoretype pkcs12 -srcstorepass changeme -srcalias newstssigning -destkeystore root-trust.jks -deststoretype JKS -deststorepass testpassword -destkeypass testpassword
    
    /usr/java/jre-vmware/bin/keytool -v -importcert -keystore root-trust.jks -deststoretype JKS -storepass testpassword -keypass testpassword -file /etc/vmware-sso/keys/ssoserverRoot.crt -alias root-ca
    
  8. When prompted, type Yes to accept the certificate into the keystore.

What to do next

You can now import the new certificate. See Refresh the Security Token Service Certificate.