You can refresh your vCenter Server STS signing certificates using the vSphere Client. The VMware Certificate Authority (VMCA) issues a new certificate and replaces the current certificate.

When you refresh STS signing certificates, the VMware Certificate Authority (VMCA) issues a new certificate and replaces the current certificate in the VMware Directory Service (vmdir). STS starts using the new certificate to issue new tokens. In an Enhanced Linked Mode configuration, vmdir uploads the new certificate from the issuing vCenter Server system to all linked vCenter Server systems. When you refresh STS signing certificates, you must restart the vCenter Server system, and any other vCenter Server system that is part of an Enhanced Linked Mode configuration.

If you are using a custom generated or third-party STS signing certificate, the refresh overwrites that certificate with a VMCA-issued certificate. To update custom generated or third-party STS signing certificates, use the import and replace option. See Import and Replace a vCenter Server STS Certificate Using the vSphere Client.

The VMCA-issued STS signing certificate is valid for 10 years and is not an external-facing certificate. Do not replace this certificate unless the security policy of your company requires it.

Prerequisites

For certificate management, you must supply the password of the administrator of the local domain (administrator@vsphere.local by default). If you are renewing certificates, you must also supply the vCenter Single Sign-On credentials for a user with administrator privileges on the vCenter Server system.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. If the system prompts you, enter the credentials of your vCenter Server.
  5. Under STS Signing Certificate, click Actions > Refresh with vCenter certificate.
    If you are using a custom generated or third-party STS signing certificate, the refresh action overwrites that certificate with a VMCA-generated certificate.
    Note: If you were using third-party certificates for compliance reasons, the refresh might cause your vCenter Server systems to go out of compliance. Also, if you are using a custom generated or third-party STS signing certificate, the Security Token Service no longer uses that custom or third-party certificate for token signing.
  6. Click Refresh.
    The VMCA refreshes the STS signing certificate on this vCenter Server system and on any linked vCenter Server systems.
  7. (Optional) If the Force Refresh button appears, vCenter Single Sign-On has detected a problem. Before clicking Force Refresh, consider the following potential results.
    • If all the impacted vCenter Server systems are not running at least vSphere 7.0 Update 3, they do not support the certificate refresh.
    • Selecting Force Refresh requires that you restart all vCenter Server systems and can render those systems inoperable until you do so.
    1. If you are unsure of the impact, click Cancel and research your environment.
    2. If you are sure of the impact, click Force Refresh to proceed with the refresh then manually restart your vCenter Server systems.

What to do next

To ensure that all the STS services in an Enhanced Linked Mode configuration validate the new tokens, you must restart the linked vCenter Server systems. See the topic about how to reboot vCenter Server in the vCenter Server Configuration documentation.