This article provides information on how to replace certificates using H5C UI in vCenter server 7.0 Update 3 and later.

There will be an alarm in the vSphere UI:

STS Signing Certificates are about to expire

Follow the steps below to Update the STS signing certificate using vSphere client UI.

Note: Before making any changes, please create offline (cold) snapshots of all the vCenter servers in the environment.

In an Enhanced Linked Mode (ELM) setup, this should be performed on a single vCenter, and a restart of all systems in the SSO domain is required afterward.

1. Connect to the vSphere HTML5 client through https://vcenter_server_ip_address_or_fqdn/ui
2. From Home Menu, Select Administration.
3. Under Certificates, Click on Certificate Management.
4. From the STS signing certificate card Actions drop down, this will be seen:
   1. Refresh with vCenter certificate (Recommended)
      • Click on Refresh button in the Refresh with vCenter Certificate Dialog Window:
      • In some environments, the 'Refresh with vCenter Certificate' dialog's Refresh button may be replaced with a 'Force Refresh' button. Additionally, Clicking on the 'Refresh' button may bring up a new 'Refresh with vCenter Certificate' dialog with a 'Force Refresh' button. clicking on Force Refresh requires rebooting all VCSA systems and may render those systems not able to be used. If restarting all VCSA systems is not an option or if there is a concern on the consequences of 'Force Refresh', press cancel.
      • This will be taken back to the same dialog with an error message displayed. Press cancel and follow KB: "Signing certificate is not valid" or "No healthy upstream" error in vCenter Server Appliance.
      • Using the 'Refresh' action will replace any 3rd party/custom certificates with vCenter-issued certificates. If the 3rd party/custom certificates are required for compliance reasons, this will take the vSphere out of compliance.
   2. Import and Replace Certificate (This is to provide certificates such as custom or third-party certificates):
      1. Select a PEM file which contains a valid certificate chain with the leaf cert marked for digital signature key usage and the corresponding unencrypted private key.
5. Upon the successful Import and Replace/Refresh action, the UI may indicate that rebooting of all VCSA systems is required. If indicated, all VCSA systems in the SSO domain must be restarted manually.

• "Signing certificate is not valid" error in vCenter Server 6.5.x and 6.7.x on Windows
• For more information on STS certificates, see below linked articles depending on version.
  • VCSA 7.0 - Refresh a vCenter Server STS Certificate Using the vSphere Client
  • VCSA 8.0 - Managing the vCenter Server Security Token Service.
    
    Impact/Risks:
    If the STS signing certificates expire without replacing them, vCenter will no longer be functional.