The vCenter Single Sign-On Security Token Service (STS) is a Web service that issues, validates, and renews security tokens.

As a token issuer, STS uses a private key to sign tokens and publishes the public certificates for services to verify the token signature. vCenter Single Sign-On manages STS signing certificates. STS signing certificates are not stored in the VMware Endpoint Certificate Store (VECS) but in VMware Directory Service (vmdir). Tokens can have a significant lifetime, and historically might have been signed by any one of multiple keys. As a result, when you publish certificates for token verification, you must provide all the certificates that might have been used to sign tokens.

Users present their primary credentials to the STS interface to acquire tokens. The primary credential depends on the type of user.
Solution user
Valid certificate.
Other users
User name and password available in a vCenter Single Sign-On identity source.

STS authenticates the user based on the primary credentials, and constructs a SAML token that contains user attributes. By default, VMWare Certificate Authority (VMCA) generates the STS signing certificate. You can replace the default STS signing certificate by using the CLI. Do not replace the STS signing certificate unless your company's security policy requires replacing all certificates.