Multiple Security Token Service (STS) Certificate Authority (CA) Certificates and Signing Certificates
search cancel

Multiple Security Token Service (STS) Certificate Authority (CA) Certificates and Signing Certificates

book

Article ID: 425548

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 8.0

Issue/Introduction

There are multiple entries for STS Certificates, when viewing the list of STS Certificates through vCert.py script:

  • Option 2 - View Certificate Info

  • Option 8 - View STS signing certificates
TenantCredential-1
   Certificate Type: Signing Certificate
    Subject: <Omitted>
    Issuer: <Omitted>
    End Date: MON DD HH:MM:SS YYYY GMT

   Certificate Type: CA Certificate
    Subject: <Omitted>
    Issuer: <Omitted>
    End Date: MON DD HH:MM:SS YYYY GMT


TenantCredential-2
   Certificate Type: Signing Certificate
    Subject: <Omitted>
    Issuer: <Omitted>
    End Date: MON DD HH:MM:SS YYYY GMT

   Certificate Type: CA Certificate
    Subject: <Omitted>
    Issuer: <Omitted>
    End Date: MON DD HH:MM:SS YYYY GMT

 

Viewing Option 1 for the status of all Certificates will report multiple STS Certificates similarly as per the below:

Checking STS Signing Certs & Signing Chains
-----------------------------------------------------------------
Checking TenantCredential-1:
   TenantCredential-1 signing certificate                 EXPIRED
   TenantCredential-1 CA certificate                        VALID
Checking TenantCredential-2:
   TenantCredential-2 signing certificate                   VALID
   TenantCredential-2 CA certificate                        VALID
Checking TrustedCertChain-2:
   TrustedCertChain-2 signing certificate                   VALID
   TrustedCertChain-2 CA certificate                        VALID

 

If the previous STS Certificate was not properly cleaned up by the environment, VDT may report that one or more of the STS certificates are expired.

Environment

vCenter

Cause

A STS certificate rotation did not properly clean up the previous STS CA Certificates and/or Signing Certificates.

The STS CA Certificate may have been properly renewed and in use, but the system did not properly clean up the previous certificates.

Resolution

Use the  vCert - Scripted vCenter Expired Certificate Replacement script to replace the STS Certificates:

  • Option 3 - Manage Certificates

  • Option 8 - STS signing certificates

  • Follow the prompts to replace the STS certificates


While the system is replacing the STS Certificates, it should also clean up the older entries.

It is expected that there is only one TenantCredential entry for a STS CA Certificate and STS Signing Certificate.

Additional Information

In vCenter 8 and higher, STS Certificates are auto-renewed 90 days before expiry.

See the documentation for Security Token Service (STS) for more details.

Powered by Wolken Software