The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens. You can manually refresh the existing Security Token Service certificate from the vSphere Web Client when the certificate expires or changes.

To acquire a SAML token, a user presents the primary credentials to the Secure Token Server (STS). The primary credentials depend on the type of user:
Solution user
Valid certificate
Other users
User name and password available in a vCenter Single Sign-On identity source.

The STS authenticates the user using the primary credentials, and constructs a SAML token that contains user attributes. The STS service signs the SAML token with its STS signing certificate, and then assigns the token to a user. By default, the STS signing certificate is generated by VMCA.

After a user has a SAML token, the SAML token is sent as part of that user's HTTP requests, possibly through various proxies. Only the intended recipient (service provider) can use the information in the SAML token.

You can replace the existing STS signing certificate vSphere Web Client if your company policy requires it, or if you want to update an expired certificate.
Caution: Do not replace the file in the filesystem. If you do, errors that are unexpected and difficult to debug result.
Note: After you replace the certificate, you must restart the node to restart both the vSphere Web Client service and the STS service.


Copy the certificate that you just added to the java keystore from the Platform Services Controller to your local workstation.
Platform Services Controller appliance
certificate_location/keys/root-trust.jks For example: /keys/root-trust.jks
For example:
Windows installation
For example:
C:\Program Files\VMware\vCenter Server\jre\bin\root-trust.jks


  1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.
    Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the local vCenter Single Sign-On domain, vsphere.local by default.
  2. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  3. Select the Certificates tab, then the STS Signing subtab, and click the Add STS Signing Certificate icon.
  4. Add the certificate.
    1. Click Browse to browse to the key store JKS file that contains the new certificate and click Open.
    2. Type the password when prompted.
    3. Click the top of the STS alias chain and click OK.
    4. Type the password again when prompted
  5. Click OK.
  6. Restart the Platform Services Controller node to start both the STS service and the vSphere Web Client.
    Before the restart, authentication does not work correctly so the restart is essential.