The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens. You can replace the certificate that STS uses.

To use a company required certificate or to refresh a certificate that is near expiration, you can replace the existing STS signing certificate. If you want to replace the default STS signing certificate, you must first generate a new certificate.

The STS certificate is valid for 10 years and is not an external-facing certificate. Do not replace this certificate unless the security policy of your company requires it.

Caution: You must use the procedures described here. Do not replace the certificate directly in the filesystem.


Enable SSH login to vCenter Server. See Manage vCenter Server from the vCenter Server Shell.


  1. Log in to the vCenter Server shell as root.
  2. Create a certificate.
    1. Create a top-level directory to hold the new certificate and verify the location of the directory.
      mkdir newsts
      cd newsts
      #resulting output: /root/newsts
    2. Copy the certool.cfg file into the new directory.
      cp /usr/lib/vmware-vmca/share/config/certool.cfg /root/newsts
    3. Using a command-line editor such as Vim, open your copy of the certool.cfg file and edit it to use the local vCenter Server IP address and hostname. The country is required and has to be two characters, as shown in the following example.
      # Template file for a CSR request
      # Country is needed and has to be 2 characters
      Country = US
      Name = STS
      Organization = ExampleInc
      OrgUnit = ExampleInc Dev
      State = Indiana
      Locality = Indianapolis
      IPAddress =
      Email =
      Hostname = homecenter.exampleinc.local
    4. Generate the key.
      /usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/root/newsts/sts.key --pubkey=/root/newsts/
    5. Generate the certificate.
      /usr/lib/vmware-vmca/bin/certool --gencert --cert=/root/newsts/newsts.cer --privkey=/root/newsts/sts.key --config=/root/newsts/certool.cfg
    6. Create a PEM file with the certificate chain and private key.
      cat newsts.cer /var/lib/vmware/vmca/root.cer sts.key > newsts.pem
  3. Update the STS signing certificate, for example:
    /opt/vmware/bin/ -set_signing_cert -t vsphere.local /root/newsts/newsts.pem
  4. Restart any vCenter Server node that is part of the ELM group, and any gateway.
    You must perform a restart for authentication to work correctly. Both the STS service and the vSphere Client are restarted.