Symptoms
You will see an alert in the vSphere UI:
STS Signing Certificates are about to expire
Purpose
This article provides information on how to replace certificates using H5C UI in vCenter server 7.0 Update 3 and later
Impact / Risks
If the STS signing certificates expire without replacing them, vSphere will no longer be functional.
Resolution
To Update the STS signing certificate using H5C UI:Steps to Update the Certificate:
Connect to the vSphere HTML5 client through https://vcenter_server_ip_address_or_fqdn/uiFrom Home Menu, Select Administration.Under Certificates, Click on Certificate Management.From the STS signing certificate card Actions drop down, you will see:
Refresh with vCenter certificate (Recommended)
Click on Refresh button in the Refresh with vCenter Certificate Dialog Window:In some environments, the 'Refresh with vCenter Certificate' dialog's Refresh button may be replaced with a 'Force Refresh' button. Additionally, Clicking on the 'Refresh' button may bring you to a new 'Refresh with vCenter Certificate' dialog with a 'Force Refresh' button. clicking on Force Refresh requires rebooting all systems and may render systems not able to be used. If restarting all systems is not an option or if you are unsure of the consequences of 'Force Refresh', press cancel.This will be taken back to the same dialog with an error message displayed. Press cancel and follow KB "Signing certificate is not valid" error in VCSA 6.5.x/6.7.x and vCenter Server 7.0.x Using the 'Refresh' action will replace any 3rd party/custom certificates with vCenter-issued certificates. If the 3rd party/custom certificates are required for compliance reasons, this will take the vSphere out of compliance.
Import and Replace Certificate (If you want to provide certificates such as custom or third-party certificates):
Select a PEM file which contains a valid certificate chain with the leaf cert marked for digital signature key usage and the corresponding unencrypted private key.
Upon the successful Import and Replace/Refresh action, the UI may indicate that rebooting of all systems is required. If indicated, all systems in your SSO domain must be restarted manually (VC/PSCs).
Related Information
"Signing certificate is not valid" error in VCSA 6.5.x/6.7.x and vCenter Server 7.0.x"Signing certificate is not valid" error in vCenter Server 6.5.x and 6.7.x on WindowsFor more information on STS certificates, See Security Token Service STS.
