baijup
VMware Employee
VMware Employee

vCenter STS Certificate may expire soon in certain configurations and will result in inability to login to vCenter Server

In certain configurations, the vCenter Server Secure Token Service (STS) certificate may expire soon. STS expiry will occur without warning and will result in inability to login to vCenter Server. VMware recommends checking the STS certificate expiration date and replacing that certificate if it will expire within next few days/months. For more information refer below blog:

Signing Certificate is not Valid – Security Token Service Certificate Issue in vSphere - VMware vSph...

Following FAQs will help to understand STS Certificate and the steps to replace:

  • What is STS Certificate?
    • The STS signing certificate is used by Single Sign-On (SSO) to sign SAML Tokens during authentication
  • What is the impact if STS Certificate is expired?
    • Like Machine SSL Certificate expiry situation, Production will be impacted:
      • Logins to vCenter Server will not work as SSO will fail to generate SAML Token due to expired STS Certificate
      • Communication between various services in vCenter Server will fail
      • Critical vCenter Services will not start if you try to restart vCenter Server or vCenter Services (for example - vpxd-svcs, vpxd services will not start)
  • What is the validity of STS Certificate?
    • STS Certificate validity varies on vCenter Server builds, following are the details:
      • vCenter Server 6.5
        • Prior to 6.5 U2
          • Validity for new deployment – 10 years
          • Validity in case certificate is renewed post deployment – 10 years
        • 6.5 U2 or above
          • Validity for new deployment – 2 years
          • Validity in case certificate is renewed post deployment – 2 years
      • vCenter Server 6.7
        • Prior to 6.7 U3g
          • Validity for new deployment – 10 years
          • Validity in case certificate is renewed post deployment – 10 years
        • 6.7U3g or above
          • Validity for new deployment – 10 years
          • Validity in case certificate is renewed post deployment – 2 years
      • vCenter Server 7.0
        • 7.0 GA and above
          • Validity for new deployment – 10 years
          • Validity in case certificate is renewed post deployment – 2 years
    • STS Certificate validity for upgraded environments
      • vCenter Server upgrade will carry forward the STS Certificate from the source vCenter Server. For example, vCenter Server 6.7 upgraded from new deployment of 6.5 U2 will have 2 years validity for STS certificate
  • Why Certificate validity is getting limited to 2 years?
  • How to check STS Certificate expiry on vCenter Server?
  • How to replace expired or nearing expiry STS Certificate?
0 Replies