2 Replies Latest reply on Jun 15, 2020 3:43 AM by mc1903cae

    How do I view/manage Single Sign-On Security Token Service (STS) Signing Certificates in vCenter Server 7.0?

    mc1903cae Enthusiast

      Hi,

       

      Can anyone please advise how I view/manage the STS certificates in vCenter Server v7.0?

       

      In v6.x this could be done via the Web Client (Flash Client) by following the path "Administrator > Single Sign-On > Configuration > Certificates > STS Signing"

       

      However the Flash Client is not available in v7.0 and there is no STS Signing option in the HTML5 Client. I have found specific reference to "Note: The STS certificate cannot be viewed from the HTML5 client" in https://kb.vmware.com/s/article/79248

       

      I have downloaded the checksts.py python script that is mentioned in KB79248 and I can see the STS certificate SHA-1 thumbprints (and only that); but that is all it does.

       

       

      I generated & refreshed new STS signing certs based on my VMCA signed certificate chain, and now I need to delete the old STS leaf & root certificates (highlighted).

       

      I know it is against VMware's recommendation to replace these internal/self-signed STS certificates, but in some environments this is not acceptable.

       

      Is there a CLI command to manage them, as the HTML5 client is clearly not 'feature parity' with the Web Client in this respect. :-(

       

      As always, any help or advice will be welcomed.

       

      Thanks

      M

        • 1. Re: How do I view/manage Single Sign-On Security Token Service (STS) Signing Certificates in vCenter Server 7.0?
          msripada Expert
          vExpert

          Unfortunately there is no direct way to manage STS certificates in vCenter 7.0 via webclient unlike in 6.x

          VMware is aware of this

           

          If the certificates in vCenter 7.0 are not expired, you can use the steps in the below docs to update the certs

          Managing Security Token Service

           

          thanks,

          MS

          • 2. Re: How do I view/manage Single Sign-On Security Token Service (STS) Signing Certificates in vCenter Server 7.0?
            mc1903cae Enthusiast

            Hi msripada,

             

            Thank you - Its exactly what I expected to be honest, as its usual to lose some existing functionality in a new vSphere release; I guess the need to get new features working is a higher priority than porting existing rarely used features into the HTML5 client. #frustrating

             

            For anyone following the "Generate a New STS Signing Certificate on the Appliance" procedure mentioned in Managing Security Token Service be cautious with step 6.

             

             

            My vCenter 7.0 server's VMCA is configured as a subordinate to my enterprise PKI (Root CA & Inter CA), but the file /etc/vmware-sso/keys/ssoserverRoot.crt was the old self-signed root CA generated during the vCenter Server install.

             

            I broke my vCenter Server the first time (vpxd service failed to start on boot) as I did not notice this. :-(

             

            I reverted my vCenter Server snapshot, backed up the 3 certs in the /etc/vmware-sso/keys/ directory, replaced the default ssoserverRoot.crt cert with my Ent PKI Root CA certificate.

             

            For completeness, I also replaced the machine.crt and ssoserver.crt file (they are identical) with the MACHINE_SSL certificate chain from the VECS Machine SSL cert store:

             

            /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /etc/vmware-sso/keys/machine.crt

             

            cp /etc/vmware-sso/keys/machine.crt /etc/vmware-sso/keys/ssoserver.crt

             

            I ran the remainder of the procedure (Refresh the Security Token Service Certificate) and vCenter Server boots just fine.

             

            Cheers

            Martin