Hi,
Can anyone please advise how I view/manage the STS certificates in vCenter Server v7.0?
In v6.x this could be done via the Web Client (Flash Client) by following the path "Administrator > Single Sign-On > Configuration > Certificates > STS Signing"
However the Flash Client is not available in v7.0 and there is no STS Signing option in the HTML5 Client. I have found specific reference to "Note: The STS certificate cannot be viewed from the HTML5 client" in https://kb.vmware.com/s/article/79248
I have downloaded the checksts.py python script that is mentioned in KB79248 and I can see the STS certificate SHA-1 thumbprints (and only that); but that is all it does.
I generated & refreshed new STS signing certs based on my VMCA signed certificate chain, and now I need to delete the old STS leaf & root certificates (highlighted).
I know it is against VMware's recommendation to replace these internal/self-signed STS certificates, but in some environments this is not acceptable.
Is there a CLI command to manage them, as the HTML5 client is clearly not 'feature parity' with the Web Client in this respect. 😞
As always, any help or advice will be welcomed.
Thanks
M
Hi msripada,
Thank you - Its exactly what I expected to be honest, as its usual to lose some existing functionality in a new vSphere release; I guess the need to get new features working is a higher priority than porting existing rarely used features into the HTML5 client. #frustrating
For anyone following the "Generate a New STS Signing Certificate on the Appliance" procedure mentioned in Managing Security Token Service be cautious with step 6.
My vCenter 7.0 server's VMCA is configured as a subordinate to my enterprise PKI (Root CA & Inter CA), but the file /etc/vmware-sso/keys/ssoserverRoot.crt was the old self-signed root CA generated during the vCenter Server install.
I broke my vCenter Server the first time (vpxd service failed to start on boot) as I did not notice this. 😞
I reverted my vCenter Server snapshot, backed up the 3 certs in the /etc/vmware-sso/keys/ directory, replaced the default ssoserverRoot.crt cert with my Ent PKI Root CA certificate.
For completeness, I also replaced the machine.crt and ssoserver.crt file (they are identical) with the MACHINE_SSL certificate chain from the VECS Machine SSL cert store:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /etc/vmware-sso/keys/machine.crt
cp /etc/vmware-sso/keys/machine.crt /etc/vmware-sso/keys/ssoserver.crt
I ran the remainder of the procedure (Refresh the Security Token Service Certificate) and vCenter Server boots just fine.
Cheers
Martin
