The vCenter Single Sign-On Security Token Service (STS) is a Web service that issues, validates, and renews security tokens.

As a token issuer, STS uses a private key to sign tokens and publishes the public certificates for services to verify the token signature. vCenter Single Sign-On manages STS signing certificates. STS signing certificates are not stored in the VMware Endpoint Certificate Store (VECS) but in VMware Directory Service (vmdir). Tokens can have a significant lifetime, and historically might have been signed by any one of multiple keys.

Users present their primary credentials to the STS interface to acquire tokens. The primary credential depends on the type of user.
Solution user
Valid certificate.
Other users
User name and password available in a vCenter Single Sign-On identity source.

STS authenticates the user based on the primary credentials, and constructs a SAML token that contains user attributes. By default, VMWare Certificate Authority (VMCA) generates the STS signing certificate. You can replace the default STS signing certificate by using the CLI, or you can view the STS signing certificate by using the vSphere Client. Do not replace the STS signing certificate unless your company's security policy requires replacing all certificates.

STS Certificate Duration and Expiration

A fresh installation of vSphere 7.0 Update 1 and later creates an STS certificate with a duration of 10 years. When an STS certificate is close to expiring, a vCenter Server alarm warns you starting at 90 days once per week, and then daily when seven days away.