Solved: Expired STS Signing Cert in vCenter 5.5

abauerly · ‎06-10-2014

We have a vCenter 5.5 deployment that was working with certificates generated by an internal Microsoft CA. The cert was expiring soon, so we created a new chain and then generated all new certs for all the services. However, the vCenter 5.5 articles in the KB didn't mention (or I completely missed the section ) about updating the STS signing certificate chain. So now here we are, one day after the certificate expired, and we can't access vSphere.

Any ideas on how to "manually" update the STS signing cert? (I.e., use CLI to update a keystore or something.) Every reference I can find just point to the Web Client to update it, but I can't access the Web Client because the logon fails due to the expired signing cert! Catch-22.

abauerly · ‎06-10-2014

I found a way around the expiration date: time travel. I set the system date to a time before the cert expired, and quickly logged into the web client before the system could update to the correct date. I uploaded the new JKS cert chain, and am now rebooting the server (after ensuring it had traveled back to the present day).

View solution in original post

abauerly · ‎06-10-2014

I found a way around the expiration date: time travel. I set the system date to a time before the cert expired, and quickly logged into the web client before the system could update to the correct date. I uploaded the new JKS cert chain, and am now rebooting the server (after ensuring it had traveled back to the present day).

All

Expired STS Signing Cert in vCenter 5.5