In certain configurations, the vCenter Server Secure Token Service (STS) certificate may expire soon. STS expiry will occur without warning and will result in inability to login to vCenter Server. VMware recommends checking the STS certificate expiration date and replacing that certificate if it will expire within next few days/months. For more information refer below blog:
Signing Certificate is not Valid – Security Token Service Certificate Issue in vSphere - VMware vSph...
Following FAQs will help to understand STS Certificate and the steps to replace:
- What is STS Certificate?
- The STS signing certificate is used by Single Sign-On (SSO) to sign SAML Tokens during authentication
- What is the impact if STS Certificate is expired?
- Like Machine SSL Certificate expiry situation, Production will be impacted:
- Logins to vCenter Server will not work as SSO will fail to generate SAML Token due to expired STS Certificate
- Communication between various services in vCenter Server will fail
- Critical vCenter Services will not start if you try to restart vCenter Server or vCenter Services (for example - vpxd-svcs, vpxd services will not start)
- What is the validity of STS Certificate?
- STS Certificate validity varies on vCenter Server builds, following are the details:
- vCenter Server 6.5
- Prior to 6.5 U2
- Validity for new deployment – 10 years
- Validity in case certificate is renewed post deployment – 10 years
- 6.5 U2 or above
- Validity for new deployment – 2 years
- Validity in case certificate is renewed post deployment – 2 years
- vCenter Server 6.7
- Prior to 6.7 U3g
- Validity for new deployment – 10 years
- Validity in case certificate is renewed post deployment – 10 years
- 6.7U3g or above
- Validity for new deployment – 10 years
- Validity in case certificate is renewed post deployment – 2 years
- vCenter Server 7.0
- 7.0 GA and above
- Validity for new deployment – 10 years
- Validity in case certificate is renewed post deployment – 2 years
- STS Certificate validity for upgraded environments
- vCenter Server upgrade will carry forward the STS Certificate from the source vCenter Server. For example, vCenter Server 6.7 upgraded from new deployment of 6.5 U2 will have 2 years validity for STS certificate
- Why Certificate validity is getting limited to 2 years?
- According to the CA/Browser Forum recommendations, validity of all leaf certificates (certificates issued by a Certificate Authority, VMCA in case of default certificate) should be limited to 2 years, more information in below links:
- How to check STS Certificate expiry on vCenter Server?
- How to replace expired or nearing expiry STS Certificate?