vCert Tool Reports: 'TenantCredential signing certificate EXPIRED'

search cancel

vCert Tool Reports: 'TenantCredential signing certificate EXPIRED'

book

Article ID: 394899

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When performing a certificate check with the vCert - Scripted vCenter Expired Certificate Replacement tool, you may see the following finding (the number in TenantCredential may differ):

Checking TenantCredential-1:
   TenantCredential-1 signing certificate                 EXPIRED

VDT reports at least one expired STS certificate:

VC STS Certificate Check
            [FAIL]    STS Certificate Check
                        1x expired STS certificates.
                        Documentation:     https://knowledge.broadcom.com/external/article?legacyId=76719

If there are multiple TenantCredentials in vCert and at least one is not expired, the STS Certificate error will show in the VDT tool but not in the vCert tool.

This can occur if the STS Certificate was renewed correctly and there is no system impact, but at least one of the multiple TenantCredential entries for the STS certificate has expired.

Environment

vCenter Server Appliance 7.0 +
vCenter Server Appliance 8.0 +

Cause

This is an expired STS certificate. There may be more than one TenantCredential available, and only causes a problem if all TenantCredential certificates are expired.

However, certain pre-checks and 2nd/3rd party solutions may highlight this as an issue.

Multiple TenantCredentials indicates that previous STS certificates were not cleaned up in the environment and are leftover from a past renewal.

Resolution

NOTE: Before proceeding, please know that unforeseen issues during use of vCert could render this system inoperable. Please ensure you have a valid
VAMI-based backup or offline snapshots of ALL vCenter/PSC nodes in the SSO domain (ELM group)
before continuing. Please refer to the following Knowledge Base article:
VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

To resolve the expired STS certificates issue, run vCert and perform the following:

Select option 3. Manage Certificates
Select option 8. STS signing certificates
- If prompted, provide the local administrator SSO account credentials.
Select option 1. Replace STS Signing certificate with a VMCA-signed certificate
- Note: As of vCert 6.1.0-20250910 a message will appear with how many user-defined Scheduled Tasks there are in the vCenter database.
  Replacing the STS Signing Certificate will require removing and recreating ALL of these tasks.
  - Domain/Admin user based Scheduled Tasks failing to run on vCenter with error "NotAuthenticated for the task operation"

Restart services on all vCenter servers in Enhanced Linked Mode (ELM).

If there are multiple TenantCredentials for STS Certificates, the above steps will clean up the other TenantCredentials leaving only one renewed TenantCredential as expected to be in use by the system.

Feedback

thumb_up Yes

thumb_down No