If you want to replace the default STS signing certificate, you must first generate a new certificate.

Note: This certificate is valid for 10 years and is not an external-facing certificate. Do not replace this certificate unless your company's security policy requires it.


  1. Create a top-level directory to hold the new certificate and verify the location of the directory.
    mkdir newsts
    cd newsts
    #resulting output: /root/newst
  2. Copy the certool.cfg file into the new directory.
    cp /usr/lib/vmware-vmca/share/config/certool.cfg /root/newsts
  3. Open your copy of the certool.cfg file and edit it to use the local vCenter Server IP address and hostname.
    The country is required and has to be two characters, as shown in the following example.
    # Template file for a CSR request
    # Country is needed and has to be 2 characters
    Country = US
    Name = STS
    Organization = ExampleInc
    OrgUnit = ExampleInc Dev
    State = Indiana
    Locality = Indianapolis
    IPAddress =
    Email = chen@exampleinc.com
    Hostname = homecenter.exampleinc.local
  4. Generate the key.
    /usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/root/newsts/sts.key --pubkey=/root/newsts/sts.pub
  5. Generate the certificate.
    /usr/lib/vmware-vmca/bin/certool --gencert --cert=/root/newsts/newsts.cer --privkey=/root/newsts/sts.key --config=/root/newsts/certool.cfg
  6. Create a PEM file with the certificate chain and private key.
    cat newsts.cer /etc/vmware-sso/keys/ssoserverRoot.crt sts.key > newsts.pem

What to do next

You can now import the new certificate. See Refresh the Security Token Service Certificate.