You can refresh the vCenter Server Security Token Service (STS) signing certificate with a new VMCA-issued certificate by using the SigningCertificate interface. The STS is an internal entity that issues and verifies tokens so that vSphere services can communicate with and trust each other.
You can refresh the current STS signing certificate of your vCenter Server system with a new VMCA-issued certificate.
There are two valid reasons for refreshing your STS signing certificate or certificate chain.
If it is close to expiry. The standard lifespan of the vCenter Server STS signing certificate is 10 years. Your vCenter Server system will notify you in advance of STS certificate expiry. An alarm is triggered once per week when your STS certificate is 90 days away from expiry, and then daily when seven days away.
If you already replaced your signing certificate with a third-party or enterprise one and now want to revert back to a default VMCA-issued certificate. This procedure replaces the custom or third-party STS signing certificates you added.
Prerequisites
Verify that you have the required privilege:
.Procedure
Results
If successful, the system returns the x509 certificate chain issued in accordance with the vCenter Server policies.
If you used a forced refresh, you must restart your vCenter Server and all linked services.