This article provides information on how to replace certificates using H5C UI in vCenter server 7.0 Update 3 and later

Symptoms:

There will be an alert in the vSphere UI:

STS Signing Certificates are about to expire

To Update the STS signing certificate using H5C UI:

Steps to Update the Certificate:

Note: Before making any changes, please create offline or cold snapshots of all the vCenter servers in the environment.

In an Enhanced Linked Mode (ELM) setup, this should be performed on a single vCenter, and a restart of all systems in the SSO domain is required afterward.

1. Connect to the vSphere HTML5 client through https://vcenter_server_ip_address_or_fqdn/ui
2. From Home Menu, Select Administration.
3. Under Certificates, Click on Certificate Management.
4. From the STS signing certificate card Actions drop down, this will be seen:
   1. Refresh with vCenter certificate (Recommended)
      • Click on Refresh button in the Refresh with vCenter Certificate Dialog Window:
      • In some environments, the 'Refresh with vCenter Certificate' dialog's Refresh button may be replaced with a 'Force Refresh' button. Additionally, Clicking on the 'Refresh' button may bring up a new 'Refresh with vCenter Certificate' dialog with a 'Force Refresh' button. clicking on Force Refresh requires rebooting all systems and may render systems not able to be used. If restarting all systems is not an option or if there is a concern on the consequences of 'Force Refresh', press cancel.
      • This will be taken back to the same dialog with an error message displayed. Press cancel and follow KB: "Signing certificate is not valid" error in vCenter Server Appliance
      • Using the 'Refresh' action will replace any 3rd party/custom certificates with vCenter-issued certificates. If the 3rd party/custom certificates are required for compliance reasons, this will take the vSphere out of compliance.
   2. Import and Replace Certificate (This is to provide certificates such as custom or third-party certificates):
      1. Select a PEM file which contains a valid certificate chain with the leaf cert marked for digital signature key usage and the corresponding unencrypted private key.
5. Upon the successful Import and Replace/Refresh action, the UI may indicate that rebooting of all systems is required. If indicated, all systems in the SSO domain must be restarted manually (VC/PSCs)

• "Signing certificate is not valid" error in vCenter Server Appliance
• "Signing certificate is not valid" error in vCenter Server 6.5.x and 6.7.x on Windows (broadcom.com)
• For more information on STS certificates, See Managing the vCenter Server Security Token Service.
  
  Impact/Risks:
  If the STS signing certificates expire without replacing them, vSphere will no longer be functional.