You can refresh the vCenter Server Security Token Service (STS) signing certificate with a new VMCA-issued certificate by using the SigningCertificate interface. The STS is an internal entity that issues and verifies tokens so that vSphere services can communicate with and trust each other.

You can refresh the current STS signing certificate of your vCenter Server system with a new VMCA-issued certificate.

There are two valid reasons for refreshing your STS signing certificate or certificate chain.

  • If it is close to expiry. The standard lifespan of the vCenter Server STS signing certificate is 10 years. Your vCenter Server system will notify you in advance of STS certificate expiry. An alarm is triggered once per week when your STS certificate is 90 days away from expiry, and then daily when seven days away.

  • If you already replaced your signing certificate with a third-party or enterprise one and now want to revert back to a default VMCA-issued certificate. This procedure replaces the custom or third-party STS signing certificates you added.

Prerequisites

Verify that you have the required privilege: CertificateManagement.Administer.

Procedure

  1. (Optional) Retrieve the current vCenter Server signing certificate chain by calling the get function of the SigningCertificate interface.
    get()
  2. Refresh the vCenter Server signing certificate by calling the refresh function of the SigningCertificate interface.

    Pass true as a value to the force parameter to force the refresh of the signing certificates in environments that would otherwise prevent the operation from occurring, such as a mixed-version environment. If null, the refresh of the vCenter Server signing certificate chain is not forced.

Results

If successful, the system returns the x509 certificate chain issued in accordance with the vCenter Server policies.

Caution:

If you used a forced refresh, you must restart your vCenter Server and all linked services.