• When attempting to refresh the vCenter Server Appliance STS signing certificates via the vSphere HTML5 Client, the certificate does not update and retains its previous validity period.
• The same behavior occurs when attempting to renew the default VMCA‑signed STS certificates via the command-line using the vCert scripted VCSA expired certificate replacement.

VMware vCenter Server 8.0

The STS signing certificate validity is constrained by the existing VMCA root certificate expiry, and the refresh operation does not extend beyond the current VMCA root validity window.

Update or renew the VMCA root certificate and then refresh the STS signing certificate either from the vSphere HTML5 Client or by using the vCert script. To implement this, follow the below steps:

1. Download and use the vCert utility as outlined in the referenced KB article: vCert - Scripted vCenter expired certificate replacement
2. Use a file transfer utility (for example, WinSCP) to copy the entire ZIP directory to the required directory on the affected VCSA node/s.
3. To establish an SCP connection to the vCenter Server, you may need to change the default shell for the root user. For detailed steps, refer: Error when uploading files to vCenter Server Appliance using WinSCP
4. Run the following commands in the directory where the script is located to unpack and execute it:
   1. unzip -q vCert-6.1.0-20250910.zip
   2. cd vCert-6.1.0-20250910
   3. chmod +x vCert.py
   4. ./vCert.py
5. Within the script, select Option 3 (Manage vCenter Certificates) > Option 9 (VMCA Certificate) > Option 1 (Replace VMCA certificate with a self-signed certificate).
6. This option replaces only the VMCA certificate with a new self-signed certificate, without regenerating other certificate types, thereby allowing you to selectively renew additional certificates later as needed.
7. Finally, select Option 8, which renews the STS certificate by creating a new entry that is signed by the VMCA.​