In certain configurations, the vCenter Server Secure Token Service (STS) certificate may expire soon. STS expiry will occur without warning and will result in inability to login to vCenter Server. VMware recommends checking the STS certificate expiration date and replacing that certificate if it will expire within next few days/months. For more information refer below blog:

Signing Certificate is not Valid – Security Token Service Certificate Issue in vSphere - VMware vSph...

Following FAQs will help to understand STS Certificate and the steps to replace:

• What is STS Certificate?
  • The STS signing certificate is used by Single Sign-On (SSO) to sign SAML Tokens during authentication
• What is the impact if STS Certificate is expired?
  • Like Machine SSL Certificate expiry situation, Production will be impacted:
    • Logins to vCenter Server will not work as SSO will fail to generate SAML Token due to expired STS Certificate
    • Communication between various services in vCenter Server will fail
    • Critical vCenter Services will not start if you try to restart vCenter Server or vCenter Services (for example - vpxd-svcs, vpxd services will not start)
• What is the validity of STS Certificate?
  • STS Certificate validity varies on vCenter Server builds, following are the details:
    • vCenter Server 6.5
      • Prior to 6.5 U2
        • Validity for new deployment – 10 years
        • Validity in case certificate is renewed post deployment – 10 years
      • 6.5 U2 or above
        • Validity for new deployment – 2 years
        • Validity in case certificate is renewed post deployment – 2 years
    • vCenter Server 6.7
      • Prior to 6.7 U3g
        • Validity for new deployment – 10 years
        • Validity in case certificate is renewed post deployment – 10 years
      • 6.7U3g or above
        • Validity for new deployment – 10 years
        • Validity in case certificate is renewed post deployment – 2 years
    • vCenter Server 7.0
      • 7.0 GA and above
        • Validity for new deployment – 10 years
        • Validity in case certificate is renewed post deployment – 2 years
  • STS Certificate validity for upgraded environments
    • vCenter Server upgrade will carry forward the STS Certificate from the source vCenter Server. For example, vCenter Server 6.7 upgraded from new deployment of 6.5 U2 will have 2 years validity for STS certificate
• Why Certificate validity is getting limited to 2 years?
  • According to the CA/Browser Forum recommendations, validity of all leaf certificates (certificates issued by a Certificate Authority, VMCA in case of default certificate) should be limited to 2 years, more information in below links:
    • SSL/TLS Certificate Validity is Now Capped at a Maximum of Two Years
    • Ballot 193 - 825-day Certificate Lifetimes - CAB Forum
• How to check STS Certificate expiry on vCenter Server?
  • Follow the VMware Knowledge Base Article https://kb.vmware.com/s/article/79248 (Checking Expiration of STS Certificate on vCenter Server)
  • Please refer Document Checking STS Certificate Validity on vCenter Server for step-by-step guide
• How to replace expired or nearing expiry STS Certificate?
  • Follow the VMware Knowledge Base Articles:
    • vCenter Server Appliance - https://kb.vmware.com/s/article/76719 ("Signing certificate is not valid" - Regenerating and replacing expired STS certificate using shell script on vCenter Server Appliance 6.5/6.7)
    • vCenter Server on Windows - https://kb.vmware.com/s/article/79263  ("Signing certificate is not valid" - Regenerating and replacing expired STS certificate using PowerShell script on vCenter Server 6.5/6.7 installed on Windows)
  • Please refer Document Replacing STS Certificate on vCenter Server for step-by-step guide