You can import and replace the vCenter Server STS signing certificate with a custom generated or third-party certificate by using the SigningCertificate interface.
In the usual case, you must not replace the vCenter Server STS signing certificate as it is not an external-facing certificate. The STS is an internal service that enables communication between various vSphere services. A fresh installation of vSphere 7.0 and later comes with a signing certificate that is issued with a default duration of 10 years. Replace the STS signing certificate with a custom or third-party certificate only if your company security policy requires you to do so.
Prerequisites
- Verify that the custom generated or third-party certificate chain and private key are available on your machine.
- Verify that you have the required privilege: .
Procedure
- Create an object instance of type SigningCertificateTypes.SetSpec with the corresponding private key and certificate chain.
- Set the private key by calling the setPrivateKey(privateKey) method. Pass as value to the privateKey parameter the corresponding unencrypted PKCS#8 private key in base64-encoded PEM format.
- Set the custom generated or third-party certificate chain in base64-encoded PEM format by calling the setSigningCertChain(X509CertChain) method. It must be a valid certificate chain with the leaf certificate marked for Digital Signature key usage. The leaf certificate must be first in the sequence and the root must be last.
- Set the STS signing certificate by calling set(SigningCertificateTypes.SetSpec) and passing the signing certificate specification.
Results
Caution: The change of the STS signing certificate might leave systems in the local
vCenter Server domain in a non-functional state. To prevent system failure, restart your
vCenter Server instance and all linked services.