Hello Community,

i am facing a very, very hard issue and hopefully anyone is able to help me.

I have a vCenter Instance running on v6.7 which worked flawlessly. 2 days ago i noticed, that my third party tools couldnt authenticate from 2AM at the vCenter.

As i tried in the early morning, i couldnt log in either. After restarting the vCenter and still no ability to log in, i scrolled through the logs and found entries like this:

[2018-10-05T10:07:34.981+02:00 tomcat-http--33 *LOCALDOMAIN* df75c2bb-8eb2-46bb-847f-3d0c5e00eae6 ERROR com.vmware.identity.SsoController] Could not handle SAML Authentication request

com.vmware.identity.saml.UnsupportedTokenLifetimeException: Signing certificate is not valid at Fri Oct 05 10:07:34 CEST 2018, cert validity: TimePeriod [startTime=Tue Sep 05 02:00:00 CEST 2017, endTime=Fri Oct 05 01:59:59 CEST 2018]

I noticed that this was the same time, my wildcard certificate was valid for, which i replaced on all webservers and forgot that i had added it to the STS Signing as well.

Due to the restart many services werent able to start as they couldnt log in..

Further then I searched, found and followed this VMware Doc to get a new STS Signing Certificate: Generate a New STS Signing Certificate on the Appliance

Unfortunately the ssoserverRoot.crt certificate was missing in the requested folder and replaced the link to the Machine Cert of the PSC ( which should be the correct certificate ). This gave me the correct root-trust.jks .

As i wanted to proceed with the next step Refresh the Security Token Service Certificate to replace the expired one, i noticed the only listed way is through the Web UI which i obviously cant use...

Does anyone know a way to do this via the Command Line?

Any input is highly appreciated, as i am unable to use my Cluster at the moment

Thank you in advance!