Symptoms:

• The SSL certificate on vCenter Server has expired.
• The version of vCenter Server is between 7.0 GA and 7.0 U1d.
• vmware-stsd service is stopped. You can verify this by running the following command:

  service-control --status vmware-stsd

• Certificate renewal using certificate-manager fails, and the system rolls back the SSL certificate to older one.
• The certificate-manager log located at /var/log/vmware/vmcad/certificate-manager.log contains error messages similar to the following:

  YYYY-MM-DDTHH:MM:SS.Z ERROR certificate-manager 'lstool reregister' failed: 1
  YYYY-MM-DDTHH:MM:SS.Z INFO certificate-manager Performing rollback of Machine SSL Cert...

vCenter Server 7.0 GA, vCenter Server 7.0 U1

This issue is due to certificate-manager's dependency on the vmware-stsd service. On vCenter Server 7.0 GA and 7.0 U1, when an SSL certificate expires, the vmware-stsd service may stop and fail to start. As a result, certificate-manager is unable to complete the certificate renewal process.
Notably, this condition may occur regardless of whether the STS certificate has actually expired, indicating that the failure can be triggered even when the STS certificate remains valid.

This issue is fixed at vCenter Server 7.0 U2 and later versions.

To update SSL certificate of vCenter Server 7.0 GA and 7.0 U1, use the vCert script. Unlike certificate-manager, vCert does not rely on the state of the vmware-stsd service and can successfully renew SSL certificates regardless of whether the service is running.
Important: Before using vCert script, ensure that you take an offline snapshot of the vCenter Server.

python vCert.py --run config/manage_cert/vmca/op_replace-vmca-cert-and-reset-all.yaml

For detailed instructions of vCert, please refer to vCert - expired certificate replacement script.