vSphere 6.x/7.x STS Certificate Replace
22 Feb 2021
Ettore Dreucci
2 minute read

[recipe, sysadmin]: How to replace an expiring/expired vSphere 6.x/7.x STS cert

New job, new problems: back from the weekend I booted my work laptop and started working on deploying a new VM on our internal small VMware ESXi cluster.

So I opened the vCenter web client, entered my credential and after a click on the Submit button I stared in disbelief at an error stating User name and password are required.

I blinked and made sure that no, I’m not still sleeping and I’ve typed both the user and the password, even in the correct fields!

First guess, some weird stuff with browser cache or some old cookie still alive: reloaded the page, restarted the browser, cleared the cache but the problem remained. Nice way to start the week!

After a bit of google-fu a wild VMware knowledge-base article appeared which describes the exact problem I was experiencing. Yay! Cause: the Security Token Service certificate has expired. An additional note stated that when the STS certificate expires, it does so without warning. Lovely!

So without further ado here’s some mitigating actions:

Check the expiration of the STS cert:

  1. Download the Python script linked here on the VCSA and make it executable
  2. Run it!
  3. If the STS cert is shown as expired or is about to…

Replace the STS cert with a new one:

  1. Download the Python script linked here on the VCSA and make it executable

  2. Run it!

  3. Restart all services in SSO domain by:

    service-control --stop --all
    service-control --start --all
  4. If the STS cert was already expired it is possible that other certs are expired as well thus the restart will fail (and you’ll start to sweat feeling the pressure of having destroyed a “perfectly functioning” system) so you’ll have to…

Check for other expired certificates

  1. Run the following one-liner and check for expired certs

for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

  1. Run the vSphere Certificate Manager with /usr/lib/vmware-vmca/bin/certificate-manager as explained here
    1. If only Machine SSL Cert is expired run option 3
    2. If any root cert is expired run option 8
    3. If any vpxd, vpxd-extension, machine, vsphere-webclient cert is expired run option 6
    4. If the service restart still fails then use option 4


Now all the services should be up and running and the web client accepting your credentials!