You can import and replace the vCenter Server STS signing certificate with a custom generated or third-party certificate by using the SigningCertificate interface.

In the usual case, you must not replace the vCenter Server STS signing certificate as it is not an external-facing certificate. The STS is an internal service that enables communication between various vSphere services. A fresh installation of vSphere 7.0 and later comes with a signing certificate that is issued with a default duration of 10 years. Replace the STS signing certificate with a custom or third-party certificate only if your company security policy requires you to do so.

Prerequisites

  • Verify that the custom generated or third-party certificate chain and private key are available on your machine.
  • Verify that you have the required privilege: CertificateManagement.Administer.

Procedure

  1. Create an object instance of type SigningCertificateTypes.SetSpec with the corresponding private key and certificate chain.
    1. Set the private key by calling the setPrivateKey(privateKey) method. Pass as value to the privateKey parameter the corresponding unencrypted PKCS#8 private key in base64-encoded PEM format.
    2. Set the custom generated or third-party certificate chain in base64-encoded PEM format by calling the setSigningCertChain(X509CertChain) method. It must be a valid certificate chain with the leaf certificate marked for Digital Signature key usage. The leaf certificate must be first in the sequence and the root must be last.
  2. Set the STS signing certificate by calling set(SigningCertificateTypes.SetSpec) and passing the signing certificate specification.

Results

Caution: The change of the STS signing certificate might leave systems in the local vCenter Server domain in a non-functional state. To prevent system failure, restart your vCenter Server instance and all linked services.