The vCenter Server Security Token Service (STS) is a Web service that issues, validates, and renews security tokens.
As a token issuer, the Security Token Service (STS) uses a private key to sign the tokens and publishes the public certificates for services to verify the token signature. vCenter Server manages the STS signing certificates and stores them in the VMware Directory Service (vmdir). Tokens can have a significant lifetime, and historically might have been signed by any one of multiple keys.
STS authenticates the user based on the primary credentials, and constructs a SAML token that contains user attributes.
By default, the VMware Certificate Authority (VMCA) generates the STS signing certificate. You can refresh the STS signing certificate with a new VMCA certificate. You can also import and replace the default STS signing certificate with a custom or third-party generated STS signing certificate. Do not replace the STS signing certificate unless the security policy of your company requires replacing all certificates.
You can use the vSphere Client to:
- Refresh STS certificates
- Import and replace custom and third-party generated STS certificates
- View STS certificate details, such as the expiration date
You can also use the command line to replace custom and third-party generated STS certificates.
STS Certificate Duration and Expiration
A fresh installation of vSphere 7.0 Update 1 and later creates an STS signing certificate with a duration of 10 years. When an STS signing certificate is close to expiring, an alarm warns you starting at 90 days once per week, and then daily when seven days away.