You can import and replace the vCenter Server STS certificate with a custom generated or third-party certificate using the vSphere Client client.

To import and replace the default STS signing certificate, you must first generate a new certificate. When you import and replace STS signing certificates, the VMware Directory Service (vmdir) uploads the new certificate from the issuing vCenter Server system to all linked vCenter Server systems.

The STS certificate is not an external-facing certificate. Do not replace this certificate unless the security policy of your company requires it.


For certificate management, you must supply the password of the administrator of the local domain (administrator@vsphere.local by default). You also must supply the vCenter Single Sign-On credentials for a user with administrator privileges on the vCenter Server system.


  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. If the system prompts you, enter the credentials of your vCenter Server.
  5. Under STS Signing Certificate, click Actions > Import and Replace.
  6. Select the PEM file.
    The PEM file includes the signing certificate chain and the private key.
  7. Click Replace.
    The STS signing certificate is replaced on this vCenter Server system and on any linked vCenter Server systems.
  8. Restart the vCenter Server system, and any other vCenter Server system that is part of an Enhanced Linked Mode configuration.
    See the topic about how to reboot vCenter Server in the vCenter Server Configuration documentation.