This article provides steps on regenerating and replacing expired Security Token Service (STS) certificate in VCSA 6.5.x, 6.7.x , 7.0.x and vCenter Server 8.0.x using a shell script.

For steps on regenerating and replacing STS certificate in VMware vCenter Server 6.5.x and 6.7.x installed on Windows using a PowerShell script, see "Signing certificate is not valid" error in vCenter Server 6.5.x and 6.7.x on Windows.

For more information on STS certificates, see Security Token Service STS

In an environment with a vCenter Server Appliance (VCSA) 6.5.x, 6.7.x or vCenter Server 7.0.x, 8.0.x these symptoms may appear:

• The vmware-vpxd service fails to start.
• Logging in to the vSphere Client fails with the error: HTTP Status 400 – Bad Request Message BadRequest, Signing certificate is not valid
• In the /var/log/vmware/vpxd-svcs/vpxd-svcs.log file, there may be entries similar to:
  
  

  ERROR com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor opId=] Server rejected the provided time range. Cause:ns0:InvalidTimeRange: The token authority rejected an issue request for TimePeriod [startTime=Date MM DD:TT:SS EST YYYY, endTime=Date MM DD:TT:SS EST YYYY] :: Signing certificate is not valid at Date MM DD:TT:SS EST YYYY, cert validity: TimePeriod [startTime=Date MM DD:TT:SS EST YYYY, endTime=Date MM DD:TT:SS EST YYYY]

  
  
  
• In /var/log/vmware/sso/vmware-identity-sts.log you may see errors similar to: 

  ERROR sts[##:tomcat-http--##] Throwing InvalidTimeRangeException! The token authority rejected an issue request for time period [startTime=Sat Mar 15 14:20:56 GMT 2025, endTime=Sat Mar 15 14:30:56 GMT 2025] :: Signing certificate is not valid

   

• Logging in through the Web client display errors similar to:
  
  
• Logging in through the Web Client displays a message similar to: "Username and password are required"
• Replacing any certificate on either PSC or VCSA fails.
• Adding, modifying or deleting registrations from the Lookup Service manually using the lsdoctor tool fails.
• Deploying a new PSC and doing a cross-domain repoint fails.
• Deploying a new PSC as a replication partner on the existing SSO domain fails.
• Logging in through the Web client displays errors similar to:

  Cannot connect to vCenter Single Sign-On server https://VC_FQDN/sts/STSService/vsphere.local
  OR
  Cannot connect to vCenter Single Sign-On server https://VC_FQDN:7444/sts/STSService/vsphere.local
  OR
  [400] An error occurred while sending an authentication request to the vCenter Single Sign-On server

  
  Connecting services with VCSA fails with vpxd authorization errors similar to:
  

  [YYYY-MM-DDTHH:MM:SS] info vpxd[12853] [Originator@6876 sub=vpxCryptopID=###-########] Failed to read X509 cert; err: 151441516

  
  
  
• Trying to export a VM as OVF fails, and /var/log/vmware/content-library/cls.log contains the following error:
  

  [YYYY-MM-DDTHH:MM:SS] [INFO ] http-nio-####-exec-#### ######## ####### ###### com.vmware.vise.security.spring.DefaultAuthenticationProvider     Session initialization complete for sessionId ######, clientId ######
  [YYYY-MM-DDTHH:MM:SS] [INFO ] http-nio-####-exec-#### com.vmware.vapi.security.AuthenticationFilter                     Authentication failed com.vmware.vapi.std.errors.Unauthenticated: Unauthenticated (com.vmware.vapi.std.errors.unauthenticated) => {
          at com.vmware.cis.data.service.session.SessionAuthenticationHandler.authenticate(SessionAuthenticationHandler.java:36)
          at com.vmware.vapi.security.AuthenticationFilter.invoke(AuthenticationFilter.java:233)

These issues occur when the Security Token Service (STS) certificate has expired. This causes internal services and solution users to not be able to acquire valid tokens and as a result fails to function as expected.

Note: When the STS certificate expires, it does so without warning. On some systems, this expiry may occur as soon as two years from the initial deployment.

The following scenarios can cause STS signing certificate to expire at 2 years:

• Fresh installation of PSC/vCenter Server 6.5 starting with U2 or later (6.5 only).
• Fresh installation of PSC/vCenter Server 6.5 U2 or any later 6.5 releases and upgraded to a later version including 6.7 and 7.0.
• STS signing certificate has been replaced using certool post-installation of PSC or vCenter Server.
• STS signing certificate has been replaced with custom certificate (Internal/External CA Signed).
• STS certificate generated with the fixsts.sh script.

NOTE: Ensure to take a no memory snapshot of the vCenter server if it is in standalone mode or powered off snapshots of all vCenter servers in the same SSO domain if they are in linked mode.

The script previously attached to this KB is deprecated.

Use the new improved certificate management tool  vCert - Scripted vCenter Expired Certificate Replacement for all certificate management/replacement workflow. 

• Download and install vCert on the vCenter Server Appliance as described in Installation Section.
• Checking the STS signing certificate.
  • Use Option 7 -  View STS signing certificates  from the menu 2:  View Certificate Info
• Replacing STS signing certificate.
  • Use the Option 7 - STS signing certificates from the menu 3: Manage Certificates.

• For more information on viewing the STS certificate and determining the expiry date, see Checking Expiration of STS Certificate on vCenter Server.
• VMware Skyline Health Diagnostics for vSphere - FAQ

Warning

Take an offline snapshot concurrently for all vCenter Servers and Platform Service Controllers in the SSO domain before running the script. Failing to do so may result in an unrecoverable error and require redeploying vCenter Server.

Notes:

• In environments containing Horizon View, see Connection Server unable to accept vCenter thumbprint with an error "There was an error identifying the validity of the server" (67701).