When performing a certificate check with the vCert - Scripted vCenter Expired Certificate Replacement tool, you may see the following finding (the number in TenantCredential-X may differ):

Checking TenantCredential-1:
   TenantCredential-1 signing certificate                 EXPIRED

vCenter Server Appliance 7.0 +

This is an expired STS certificate.  There may be more than one TenantCredential available, and only causes a problem if all TenantCredential certificates are expired.  However, certain pre-checks and 2nd/3rd party solutions may highlight this as an issue.

NOTE:  Before proceeding, please know that unforeseen issues during use of vCert could render this system inoperable. Please ensure you have a valid
VAMI-based backup or offline snapshots of ALL vCenter/PSC nodes in the SSO domain (ELM group)
before continuing. Please refer to the following Knowledge Base article:
VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

To resolve the issue with vCert, run vCert and perform the following:

1. select option 3. Manage Certificates

2. select option 7. STS signing certificates

Restart services on all vCenter servers in enhanced linked mode.