How to replace STS_INTERNAL_SSL_CERT using vCert
search cancel

How to replace STS_INTERNAL_SSL_CERT using vCert

book

Article ID: 423742

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains the process to replace STS_INTERNAL_SSL_CERT using vCert.

  • Security scanners may indicate that the service on port 3128 is utilizing an expired certificate, which may trigger compliance alerts

  • To view the certificate, execute below command on vCenter Server Appliance.
    openssl s_client -connect localhost:3128 -showcerts

  • When running vCert Scripted to check the vCenter certificate the report will show vmware-stsd service uses a legacy certificate.

    Checking STS Server Configuration
    -----------------------------------------------------------------
    Checking VECS store configuration                          LEGACY

Environment

VMware vCenter Server

Cause

In vCenter 6.x, the vmware-stsd service uses a legacy certificate stored in STS_INTERNAL_SSL_CERT (listening on port 3128) for identity management. Because this certificate is migrated during upgrades to ensure continuity, it often expires silently in newer versions, eventually causing certificate expiration.

 

Resolution

Follow vCert - Scripted vCenter expired certificate replacement for the installation and script running guidelines.

Note: Executing below steps will lead to restart of vmware-stsd service.

To renew the expired certificate for the below steps,

  1. Run the vCert script
    ./vCert.py
     
  2. Select option 5 (Check Configurations)




  3. Select Option 2 to check the STS certificate & its configuration



  4. Enter the [email protected] account credentials



  5. If it shows as LEGACY as highlighted below, select Yes(y) to update STS server configuration to use MACHINE_SSL_CERT store



  6. Once the configuration update is completed, hit Yes(y) to restart vmware-stsd service




  7. Executing openssl command on port 3128 should now show updated certificate
    openssl s_client -connect localhost:3128 -showcerts

 

Additional Information

Here is how vCert handles STS_INTERNAL_SSL_CERT.

  • When MACHINE SSL certificate is refreshed, STS_INTERNAL_SSL_CERT is automatically updated to the new MACHINE SSL, as it's expected.
  • You can remove STS_INTERNAL_SSL_CERT by below command.
    
./vCert.py --run ./config/check_config/sts_config/op_check_sts_config.yaml
Powered by Wolken Software