vCenter Server displays incorrect certificate expiry date after successful certificate replacement

Products

VMware vCenter Server

Issue/Introduction

Unable to renew the upcoming expiring certificates using vCert tool. Attempts were made to renew each particular component like Solution users, STS, etc with VMCA self-signed but upon restarting the vCenter services, it only shows 10 days validity.

Checking Certificate Status
-----------------------------------------------------------------
Checking Machine SSL certificate VALID
Checking Solution User certificates:
machine 10 DAYS
vsphere-webclient 10 DAYS
vpxd 10 DAYS
vpxd-extension 10 DAYS
hvc 10 DAYS
wcp 10 DAYS
Checking SMS self-signed certificate 17 DAYS
Checking SMS VMCA-signed certificate 10 DAYS
Checking data-encipherment certificate 10 DAYS
Checking Authentication Proxy certificate 10 DAYS
Checking Auto Deploy CA certificate NO SKID
Checking VMDir certificate 10 DAYS
Checking BACKUP_STORE entries:
bkpmachine 10 DAYS
bkpvsphere-webclient 10 DAYS
bkpvpxd 10 DAYS
bkpvpxd-extension 10 DAYS
bkp__MACHINE_CERT EXPIRED
bkp___MACHINE_CERT EXPIRED
bkp_machine 10 DAYS
bkp_vsphere-webclient 10 DAYS
bkp_vpxd 10 DAYS
bkp_vpxd-extension 10 DAYS
__MACHINE_CERT EXPIRED
Checking legacy Lookup Service certificate 10 DAYS
Checking VMCA certificate 10 DAYS

Checking STS Signing Certs & Signing Chains
-----------------------------------------------------------------
Checking TenantCredential-1:
TenantCredential-1 signing certificate 10 DAYS
TenantCredential-1 CA certificate 10 DAYS
Checking TrustedCertChain-1:
TrustedCertChain-1 signing certificate 10 DAYS
TrustedCertChain-1 CA certificate 10 DAYS

Environment

vCenter 8.x

Cause

The issue occurred because the vCenter Server was configured with custom CA-signed certificates issued by the customer’s internal Certificate Authority (CA) infrastructure. These custom certificates were assigned across multiple vCenter components, including Solution Users, STS (Security Token Service), and other machine or service certificates. Certificate inconsistencies or expiration within this custom certificate chain contributed to the authentication and accessibility issues observed in the environment.

Resolution

To resolve the incorrect expiry date for vCenter certificates, follow the steps below to reset the certificate in the environment using the vCert utility.

Create a Backup Snapshot of the vCenter Server

Take an offline snapshot of the affected vCenter Server Appliance (VCSA) before proceeding.
In Enhanced Linked Mode (ELM) environments, power off all linked vCenter Servers and create individual offline snapshots for each appliance.

Run the vCert Tool

Run the vCert.py script on the affected vCenter Server. For details regarding usage and downloading, please refer to the vCert documentation.

Reset Certificates Using VMCA-Signed Certificates
- Option 3 – Manage Certificates
- Option 6 – Reset all certificates with VMCA-signed certificates

From the main menu, select:

Restart vCenter Services

Restart all vCenter services to apply the certificate changes.

Validate vCenter Accessibility
- VAMI (https://<vcenter>:5480)
- vSphere Client (https://<vcenter>/ui)

Confirm successful access to:
Verify login functionality using Active Directory (AD) user credentials.

Verify Certificate Expiry

Login to vCenter GUI and navigate to Menu > Administration > Certificate Management
Confirm all certificates now reflect the correct validity period instead of the incorrect 10-day expiration.

Reinstall Custom SSL Certificates (If Required)

Once vCenter functionality is restored, manually re-import and configure the custom SSL certificates if the environment previously used third-party/custom certificates.