You can import and replace the vCenter Server STS signing certificate with a custom generated or third-party certificate by using the Certificate Management vCenter Signing Certificate interface.

In the usual case, you must not replace the vCenter Server STS signing certificate as it is not an external-facing certificate. The STS is an internal service that enables communication between various vSphere services. A fresh installation of vSphere 7.0 and later comes with a signing certificate that is issued with a default duration of 10 years. Replace the STS signing certificate with a custom or third-party certificate only if your company security policy requires you to do so.

Prerequisites

  • Verify that you are connected to a vSphere Automation API server.

  • Verify that the custom generated or third-party certificate chain and private key are available on your machine.

  • Verify that you have the CertificateManagement.Administer privilege.

Procedure

  1. Populate the SigningCertificateSetSpec data structure.
    1. Populate the correspoding unencrypted PKCS#8 private key as a string in base64-encoded PEM format. It must be JSON string escaped for newline(\n).
    2. Populate the X509CertChain data structure.

      Parameter

      Type

      Description

      cert_chain

      String

      The custom generated or third-party certificate chain in base64-encoded PEM format. It must be a valid certificate chain with the leaf cert marked for Digital Signature key usage. The leaf certificate must be first in the sequence and the root must be last. The certificates must be JSON string escaped for newline(\n).
  2. Set the STS signing certificate. 
    PUT https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/signing-certificate

    The system returns a 204 error, which means that the request was processed successfully but no content is returned.

Results

Caution: The change of the STS signing certificate might leave systems in the local vCenter Server domain in a non-functional state. To prevent system failure, restart your vCenter Server instance and all linked services.