Follow the steps below to Update the STS signing certificate using vSphere client UI.

Note: Before making any changes, please create offline (cold) snapshots of all the vCenter servers in the environment.
Refer "Snapshot Best practices for vCenter Server Virtual Machines" for details.

1. Connect to the vSphere Client (https://vcenter_server_ip_address_or_fqdn/ui).
2. From Home Menu, Select Administration.
3. Under Certificates, Click on Certificate Management.
4. From the STS signing certificate card Actions drop down, this will be seen:
   1. Refresh with vCenter certificate (Recommended)
      • Click on Refresh button in the Refresh with vCenter Certificate Dialog Window:
        • In some environments, the 'Refresh with vCenter Certificate' dialog's Refresh button may be replaced with a 'Force Refresh' button.
        • Clicking on the 'Refresh' button may bring up a new 'Refresh with vCenter Certificate' dialog with a 'Force Refresh' button.
        • Clicking on Force Refresh requires rebooting all VCSA systems and may render those systems not able to be used. If restarting all VCSA systems is not an option or if there is a concern on the consequences of 'Force Refresh', press cancel.
          • This returns you to the same dialog. Follow KB: "Signing certificate is not valid" or "No healthy upstream" error in vCenter Server Appliance as needed.
      • Using the 'Refresh' action will replace any 3rd party/custom certificates with vCenter-issued certificates. If the 3rd party/custom certificates are required for compliance reasons, this will take the vSphere out of compliance.
        
        
   2. Import and Replace Certificate (This is to provide certificates such as custom or third-party certificates):
      1. Import a PEM file with signing certificate chain and private key which the vCenter token service will use to sign tokens.
         The chain must include a valid certificate chain with the leaf cert marked for digital signature key usage and the corresponding private key.
         
         
5. Upon the successful Import and Replace/Refresh action, the UI may indicate that rebooting of all VCSA systems is required. If indicated, all VCSA systems in the SSO domain must be restarted manually.

• For more information on STS certificates, see below linked articles depending on version.
  • VCSA 7.0 - Refresh a vCenter Server STS Certificate Using the vSphere Client
  • VCSA 8.0 - Managing the vCenter Server Security Token Service.
    
    Impact/Risks:
    If the STS signing certificates expire without replacing them, vCenter will no longer be functional.

Japanese KB: vSphere UI で「STS 署名証明書がまもなく期限切れになります」というアラートが発生する