Hello dongjh​,

First you need to create the certificate from the Windows vCenter using the certool utility. The procedure is quite straight forward: Generate a New STS Signing Certificate on a vCenter Windows Installation

After you do that you will need to refresh the certificate: Refresh the Security Token Service Certificate

Remember:

• Take a snpashot and backup before doing the task (PSCs and vCenter Server)
• After the procedure restart the server.

Let us know how it goes.

Hi Lalegre,

Thank you for your quick reply, but i still encountered an error when recreating the certificate, do you know what is the problem?

That issue is related that the Config File from the OpenSSL is missing on that path. What could happen is that the file is missing or is not in that path. I recommend you to cd to that path and search for it. Also run the command from inside the directory.

Moderator: Thread moved to the vCenter Server area.

If your vSphere environment is running anything like production workloads you should consider upgrading to at least 6.5, since VMware no longer provide support or updates for 6.0

Hi,

I have created the new certificate and added it to vCenter configuration, unfortunately,  after reboot the STS certificate expiration warning still be there. How can i take it effect?

Have you restarted the PSC and the vSphere Web Client?

Yes, the PSC and Web Client are installed in one VM, i have rebooted the whole VM.

Hey,

Looking here you will see some useful commands to list your current certificates and delete the unnecessary one from the Java Key Store using the keytool.exe tool: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Focus on the keytool -list and keytool -delete commands.

Remember take an snapshot first.

Hello,

What is the path and name of the keystore file?

I even could not remove any of these two certificate chains now.

Hey the path is here: C:\Program Files\VMware\vCenter Server\jre\bin\keytool.exe

Is the one mentioned on one of the first article. Try to delete it using the tool

Could not find the keystone.js file.

Hey,

Try to run the next: keytool.exe -list -v -keystore root-trust.jks

C:\ProgramData\VMware\vCenterServer\cfg\sso\keys\newsts>"C:\Program Files\VMware

\vCenter Server\jre\bin\keytool.exe" -list -v -keystore root-trust.jks

输入密钥库口令:

密钥库类型: JKS

密钥库提供方: SUN

您的密钥库包含 2 个条目

别名: root-ca

创建日期: 2020-9-14

条目类型: trustedCertEntry

所有者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN

=CA

发布者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN

=CA

序列号: f885f49bec9a18e8

有效期为 Sun Sep 23 09:34:42 CST 2018 至 Wed Sep 20 09:34:42 CST 2028

证书指纹:

         MD5:  9E:9E:7C:AF:70:7F:DC:02:C3:AE:E0:40:2C:80:DE:FD

         SHA1: A7:27:C0:F8:9C:E6:A6:C0:25:DA:7F:E4:D8:0C:14:38:C7:0E:1A:A7

         SHA256: 38:9D:83:6B:51:10:44:43:71:70:3A:C6:B8:9A:BC:B0:32:66:55:6C:3D:

E4:C2:61:6C:FD:FF:40:45:AF:E2:AA

签名算法名称: SHA256withRSA

主体公共密钥算法: 2048 位 RSA 密钥

版本: 3

扩展:

#1: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:0

]

#2: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#3: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  RFC822Name: email@acme.com

  IPAddress: 127.0.0.1

]

#4: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: B8 FF 79 34 6C A8 33 D7   F0 8D B0 EE 9C 7D E9 23  ..y4l.3........#

0010: 9E A0 A7 96                                        ....

]

]

*******************************************

*******************************************

别名: newstssigning

创建日期: 2020-9-14

条目类型: PrivateKeyEntry

证书链长度: 2

证书[1]:

所有者: OU=VMware, O=VMware, L=Palo Alto, ST=California, C=US, CN=CA

发布者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN

=CA

序列号: df6477ab15b7445d

有效期为 Mon Sep 14 14:41:13 CST 2020 至 Wed Sep 14 14:41:13 CST 2022

证书指纹:

         MD5:  2F:E3:3F:98:DA:64:4F:28:1F:85:EB:5A:83:C9:5B:66

         SHA1: 78:AB:83:21:3D:3E:F0:6A:DF:C9:CC:4E:32:B3:9B:7F:FC:2C:E8:74

         SHA256: E7:EB:28:4C:AC:7E:9B:94:03:89:08:72:3C:46:D4:82:FB:C8:B0:4F:BC:

AB:3B:B5:6B:65:B2:7E:C7:26:DB:28

签名算法名称: SHA256withRSA

主体公共密钥算法: 2048 位 RSA 密钥

版本: 3

扩展:

#1: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: B8 FF 79 34 6C A8 33 D7   F0 8D B0 EE 9C 7D E9 23  ..y4l.3........#

0010: 9E A0 A7 96                                        ....

]

]

#2: ObjectId: 2.5.29.15 Criticality=false

KeyUsage [

  DigitalSignature

  Non_repudiation

  Key_Encipherment

]

#3: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  RFC822Name: dongjh@ahope.com.cn

  IPAddress: 10.44.221.29

  DNSName: scxt-vCenter

]

#4: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: EC FC 60 86 DF 98 B2 15   D3 56 7A 7F BF 23 B4 25  ..`......Vz..#.%

0010: 7D E8 3C 89                                        ..<.

]

]

证书[2]:

所有者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN

=CA

发布者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN

=CA

序列号: f885f49bec9a18e8

有效期为 Sun Sep 23 09:34:42 CST 2018 至 Wed Sep 20 09:34:42 CST 2028

证书指纹:

         MD5:  9E:9E:7C:AF:70:7F:DC:02:C3:AE:E0:40:2C:80:DE:FD

         SHA1: A7:27:C0:F8:9C:E6:A6:C0:25:DA:7F:E4:D8:0C:14:38:C7:0E:1A:A7

         SHA256: 38:9D:83:6B:51:10:44:43:71:70:3A:C6:B8:9A:BC:B0:32:66:55:6C:3D:

E4:C2:61:6C:FD:FF:40:45:AF:E2:AA

签名算法名称: SHA256withRSA

主体公共密钥算法: 2048 位 RSA 密钥

版本: 3

扩展:

#1: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:0

]

#2: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

#3: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  RFC822Name: email@acme.com

  IPAddress: 127.0.0.1

]

#4: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: B8 FF 79 34 6C A8 33 D7   F0 8D B0 EE 9C 7D E9 23  ..y4l.3........#

0010: 9E A0 A7 96                                        ....

]

]

*******************************************

*******************************************

Hey,

Reading a little bit more i found this:

Thank you for your great help !

But the certificate expiring warning is still there, can i ignore it ?

It seems the new certificate is used.

Trusted path found: <OU=scxt,O=hzliqun,L=Palo Alto,ST=Zhejiang,C=US,CN=STS>

[2020-09-15T17:00:01.975+08:00 pool-2-thread-3 opId=bfffae9d-5700-4ee6-a1d7-54f0c6ca1e40 DEBUG com.vmware.identity.token.impl.SamlTokenImpl] SAML token signature is valid status: true

Yep as it says it stil can be there and as you also found it is already using the new STS certificate automatically.

Glad it help! It was a long troubleshoot :smileygrin:

The same problem , from zhejiang china , att email  yun2280@foxmail.com  , thanks!