You can refresh the vCenter Server Security Token Service (STS) signing certificate by using the Certificate Management vCenter Signing Certificate interface. The STS is an internal entity that issues and verifies tokens so that vSphere services can communicate with and trust each other.

You can refresh the current STS signing certificate of your vCenter Server system with a new VMCA-issued certificate.

There are two valid reasons for refreshing your STS signing certificate or certificate chain.

  • If it is close to expiry. The standard lifespan of the vCenter Server STS signing certificate is 10 years. Your vCenter Server system will notify you in advance of STS certificate expiry. An alarm is triggered once per week when your STS certificate is 90 days away from expiry, and then daily when seven days away.

  • If you already replaced your signing certificate with a third-party or enterprise one and now want to revert back to a default VMCA-issued certificate. This procedure replaces the custom or third-party STS signing certificates you added.

Prerequisites

  • Verify that you are connected to a vSphere Automation API server.

  • Verify that you have the CertificateManagement.Administer privilege.

Procedure

  1. (Optional) Retrieve the current vCenter Server STS signing certificate chain. 
    GET https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/signing-certificate
  2. Refresh the STS signing certificate.
    1. (Optional) Populate the SigningCertificateRefreshRequestBody data structure.

      Parameter

      Type

      Description

      force

      boolean

      The default is false. You can use this parameter to force a signing certificate refresh in environments that would otherwise prevent refresh from occurring such as mixed-version environments. Use force only when it is understood why the refresh fails or if you are instructed to do so by VMware® customer support.
    2. Request the refresh. 
      POST https://<vcenter_ip_address_or_fqdn>/api/vcenter/certificate-management/vcenter/signing-certificate?action=refresh

Results

If successful, the system returns the x509 certificate chain issued in accordance with the vCenter Server policies.

Caution:

If you used a forced refresh, you must restart your vCenter Server and all linked services.