Because the vCenter Single Sign-On Security Token Service (STS) signing certificate is an internal VMware certificate, do not replace it unless your company mandates the replacement of internal certificates. If you want to replace the default STS signing certificate, you must first generate a new certificate and add it to the Java key store. This procedure explains the steps on a Windows installation.

Note: This certificate is valid for ten years and is not an external-facing certificate. Do not replace this certificate unless your company's security policy requires it.

See Generate a New STS Signing Certificate on the Appliance if you are using a virtual appliance.


  1. Create a directory to hold the new certificate.
    cd C:\ProgramData\VMware\vCenterServer\cfg\sso\keys\
    mkdir newsts
    cd newsts
  2. Make a copy of the certool.cfg file and place it in the new directory.
    copy "C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg" .
  3. Open your copy of the certool.cfg file and edit it to use the local Platform Services Controller IP address and hostname.
    The country is required and has to be two characters. The following sample illustrates this.
    # Template file for a CSR request
    # Country is needed and has to be 2 characters
    Country = US
    Name = STS
    Organization = ExampleInc
    OrgUnit = ExampleInc Dev
    State = Indiana
    Locality = Indianapolis
    IPAddress =
    Email =
    Hostname = homecenter.exampleinc.local
  4. Generate the key.
    "C:\Program Files\VMware\vCenter Server\vmcad\certool.exe" --server localhost --genkey --privkey=sts.key
  5. Generate the certificate
    "C:\Program Files\VMware\vCenter Server\vmcad\certool.exe" --gencert --cert=newsts.cer --privkey=sts.key --config=certool.cfg
  6. Convert the certificate to PK12 format.
    "C:\Program Files\VMware\vCenter Server\openSSL\openssl.exe" pkcs12 -export -in newsts.cer -inkey sts.key -certfile C:\ProgramData\VMware\vCenterServer\data\vmca\root.cer -name "newstssigning" -passout pass:changeme -out newsts.p12
  7. Add the certificate to the Java key store (JKS).
    "C:\Program Files\VMware\vCenter Server\jre\bin\keytool.exe" -v -importkeystore -srckeystore newsts.p12 -srcstoretype pkcs12 -srcstorepass changeme -srcalias newstssigning -destkeystore root-trust.jks -deststoretype JKS -deststorepass testpassword -destkeypass testpassword
    "C:\Program Files\VMware\vCenter Server\jre\bin\keytool.exe" -v -importcert -keystore root-trust.jks -deststoretype JKS -storepass testpassword -keypass testpassword -file C:\ProgramData\VMware\vCenterServer\data\vmca\root.cer -alias root-ca

What to do next

You can now import the new certificate. See Refresh the Security Token Service Certificate.