The Security Token Service (STS) certificate is critical for the functionality of vSphere Single Sign-On (SSO). It is responsible for issuing, validating, and renewing security tokens. This article provides standardized methods to export the STS certificate from a vCenter Server Appliance (VCSA) using the API Explorer, Command Line Interface (CLI), and third-party LDAP tools.

• vCenter Server Appliance

You can export the STS certificate using any of the three methods detailed below.

1. Using API method:
   • Login to your vCenter.
   • Navigate to below path.
     • Menu >> Developer Center >> API Explorer
   • Select the API 
     • certficate_management/vcenter/signing_certificate
   • Expand the GET API and click on EXECUTE
   • Now copy the certificate from the results to a text editor.
   • remove extra characters from the certificate "\n" 
   • Ensure there is a line break every 64 characters
   • The file must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
   • Save this file as STS_Export.cer
     
     
2. Using command line:
   • Take SSH of the vCenter and run the below command to fetch the STS certificate. 
     1. This command will only download the root certificate.  

        • ldapsearch -LLL -o ldif-wrap=no -h localhost -p 389 -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W -b "cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local" | perl -0777 -ne '@certs=/userCertificate:: ([A-Za-z0-9+\/=]+)/g; print $certs[-1]' | base64 --decode | tee sts_active.der | tee >(openssl x509 -inform der -outform pem -out sts_active.pem >/dev/null) | openssl x509 -inform der -text -noout

        • Read the file.
          • cat sts_active.pem
     2. Another way to capture the certificate file using CLI.
        • Run the command below to collect STS certs. Will be saved as STS00*.crt  in the same directory you are in when you ran the command. Change "PASSWORD" to the SSO administrator password. 

        • dcli +server localhost +skip-server-verification +username [email protected] +password PASSWORD com vmware vcenter certificatemanagement vcenter signingcertificate get | sed "s|- -----BEGIN|-----BEGIN|g" | sed '/^[[:space:]]*$/d'  | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | csplit --prefix=STS --suffix-format='%03d.crt' - "/-----END CERTIFICATE-----/+1" "{*}" --elide-empty-files --quiet && sed -i 's/^ *//; s/ *$//; /^$/d' STS0* | ls STS0* | while read line; do echo $line && openssl x509 -in $line -noout -text | egrep "Not Before|Not After|Issuer:| Subject:";done
          

3. Using JXplorer: 
   • Download JXplorer tool and install on you jump server or on your local machine. 
     • Note: java is required to install JXplorer.
   • Open the tool and connect to the vCenter. 
     • Using JXplorer to connect to the vSphere Single Sign-on
   • Navigate to below path to download the certificate. 
     • cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
     • Select the "Table Editor" tab
       • Looking for "User Certificate" attribute. 
         • Now, click on (non string data) to open the certificate. 
       • Copy the files to your local machine.