Checking Expiration of STS Certificate on vCenter Servers

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to identify the expiry date of the VMware STS certificate.

Notes:

The certificate expiry alarm does not account for the STS certificate.
VMware recommends replacing the certificate if it is set to expire within 6 months. If the expiry date will occur in more than six months, schedule the certificate replacement at the appropriate time.
If the STS certificate is about to expire or if it is already expired, see:
- "Signing certificate is not valid" error in VCSA 6.5.x/6.7.x and vCenter Server 7.0.x (316619)
- "Signing certificate is not valid" error in vCenter Server 6.5.x and 6.7.x on Windows (338889)

Symptoms:

VMware Security Token Service (STS) certificate is about to expire.
VMware Secure Token Service (STS) certificate status check.

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.5.x
VMware vCenter Server 8.0.x

Cause

Here are the scenarios where STS signing certificate is expected to have a lifetime of around 2 years.

Notes:

Not all 6.5 U2 or later but only 6.5 U2 or later on 6.5 release lines only.
Fresh installation of PSC/vCenter Server 6.5 starting with U2 or later (6.5 lines only).
Fresh installation of PSC/vCenter Server 6.5 U2 or any later 6.5 releases and upgraded to a later version including 6.7 and 7.0.
STS signing certificate has been replaced using certool post-installation of PSC or vCenter Server.
STS signing certificate has been replaced with custom certificate (Internal/External CA Signed).

Resolution

Important: In vCenter Server version 6.5U3k, 6.7 U3j, or 7.0 U1, you receive a weekly notification when the vCenter Single Sign-On Security Token Service (STS) signing certificate is close to expiration. Notifications start 90 days before the STS certificate expires and turn into daily over the last week before expiration.

To verify the expiry date of your VMware Security Token Service (STS):

HTML 5 client

Note: Available from vCenter Server 7.0 Update2 and later.

Connect to the vSphere HTML5 client through https://vcenter_server_ip_address_or_fqdn/ui.
From Home Menu, Select Administration.
Under Certificates, Click on Certificate Management.
View STS signing Certificate information.

Note: The card will have the following information:

"Valid until" date which indicates when the certificate will expire.
A green check for a valid certificate, and an orange check warning of a certificate expiration.
A View Details link to show additional details of the active certificate chain.

VCSA

Download the attached checksts.py script attached to this article.
Upload to attached script to the VCSA or external PSC.

For example, /tmp

Note: You may use WinSCP to upload the script to VCSA. For additional information, see Error when uploading files to vCenter Server Appliance using WinSCP (326317).

If you get an error for connecting to the VCSA via WinSCP run the following command:

chsh -s /bin/bash root as per above the link.

Once the script has been successfully uploaded to VCSA, change the directory to /tmp.

For example:

cd /tmp
Run python checksts.py.

Windows

Download the attached checksts.py script attached to this article.
Upload to attached script to the Windows Server on which vCenter Server is installed:

For example %TEMP%
Once the script has been successfully uploaded to Windows, change the directory to %TEMP%.
Run "%VMWARE_PYTHON_BIN%" checksts.py.

Web Client Flash

Note: Adobe Flash Player is going End of Life (EOL) on Dec 31, 2020. The major web browser manufacturers have aligned their efforts to disable/stop running Flash applications around this date. For more information on a flash certificate, see VMware Flash End of Life and Supportability (367537).

Connect to the vSphere Web client through https://vcenter_server_ip_address_or_fqdn/vsphere-client.
Select Administration > Single Sign-On > Configuration > Certificates > STS Signing.

Note: You cannot view the STS certificate from the HTML5 client.

▶

Additional Information

Important: The certificate expiry alarm does not account for the STS certificate. The only method to determine the expiry date of the STS certificate is in the resolution of this article. VMware recommends occasionally check the STS certificate to ensure it does not expire. For additional information, see VMware's vSphere blog:
Signing Certificate is Not Valid – Security Token Service Certificate Issue in vSphere.

Download/replace or change/create STS certificate: For more information on Status Alarms for certificates other than STS certificates, see CertificateStatusAlarm - There are certificate that expired or about to expire / Certificate Status Change Alarm Triggered on VMware vCenter Server (318973).

VMware Skyline Health Diagnostics for vSphere - FAQ (345059)
"503 Service Unavailable" error on the vSphere Web Client when logging in or accessing the vCenter Server (337535)

▶

Attachments

checksts get_app