Unfortunately there is no direct way to manage STS certificates in vCenter 7.0 via webclient unlike in 6.x
VMware is aware of this
If the certificates in vCenter 7.0 are not expired, you can use the steps in the below docs to update the certs
Thank you - Its exactly what I expected to be honest, as its usual to lose some existing functionality in a new vSphere release; I guess the need to get new features working is a higher priority than porting existing rarely used features into the HTML5 client. #frustrating
For anyone following the "Generate a New STS Signing Certificate on the Appliance" procedure mentioned in Managing Security Token Service be cautious with step 6.
My vCenter 7.0 server's VMCA is configured as a subordinate to my enterprise PKI (Root CA & Inter CA), but the file /etc/vmware-sso/keys/ssoserverRoot.crt was the old self-signed root CA generated during the vCenter Server install.
I broke my vCenter Server the first time (vpxd service failed to start on boot) as I did not notice this. :-(
I reverted my vCenter Server snapshot, backed up the 3 certs in the /etc/vmware-sso/keys/ directory, replaced the default ssoserverRoot.crt cert with my Ent PKI Root CA certificate.
For completeness, I also replaced the machine.crt and ssoserver.crt file (they are identical) with the MACHINE_SSL certificate chain from the VECS Machine SSL cert store:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /etc/vmware-sso/keys/machine.crt
cp /etc/vmware-sso/keys/machine.crt /etc/vmware-sso/keys/ssoserver.crt
I ran the remainder of the procedure (Refresh the Security Token Service Certificate) and vCenter Server boots just fine.