After renewing the Security Token Service (STS) signing certificates on a vCenter Server, Site Recovery Manager (SRM) and vSphere Replication (VRMS) appliances fail to authenticate.

Unable to log in via the SRM/VRMS VAMI or vSphere Client plugin.

Site pairs show as "Disconnected" or "Connection Refused."

vmware-dr-audit.log

2026-02-12T18:12:48.253-07:00 error vmware-dr[03749] [SRM@6876 sub=Audit opID=bbf77d71-f569-4bb1-8e97--############-loginByToken] [Failure] User:(null), Method:dr.SessionManager.loginByToken, From:##.###.##.##

--> (vim.fault.InvalidLogin) {
-->    faultCause = (vim.fault.InvalidLogin) {
-->       faultCause = (dr.fault.InternalError) {
-->          faultCause = (vmodl.MethodFault) null,
-->          faultMessage = <unset>,
-->          reason = "SsoClient::SsoException 'Signature verification error. No verification key available.'"
-->          msg = ""
-->       },
-->       faultMessage = <unset>
-->       msg = ""
-->    },
-->    faultMessage = <unset>
-->    msg = ""
--> }

2026-02-13T11:10:36.688-07:00 error vmware-dr[01172] [SRM@6876 sub=RemoteSite.RemoteStsServer.ConnHandler opID=cc3565f5-b004-45f4-9bf3-############-reconfigureConnection-remoteReconfigureConnection] Unable to retrieve token from STS:
N9SsoClient25InvalidSignatureExceptionE Signature verification error. No verification key available.
[context]zKq7AVECAAQAANjOcAEPdm13YXJlLWRyAAAqIRxsaWJ2bWFjb3JlLnNvAAHpEQFsaWJzc29jbGllbnQuc28AAUQXAgFaHgIBwx8CAYKcAgGsswIB4c0CASMJAwHBLAMAzik0ANJCNADgfUkCsI4AbGlicHRocmVhZC5zby4wAAPf+g9saWJjLnNvLjYA[/context]

2026-02-13T11:10:36.689-07:00 warning vmware-dr[01172] [SRM@6876 sub=RemoteSite.RemoteStsServer connID=sts-2aff opID=cc3565f5-b004-45f4-9bf3-############-reconfigureConnection-remoteReconfigureConnection] Failed to connect
 N9SsoClient25InvalidSignatureExceptionE Signature verification error. No verification key available.
[context]zKq7AVECAAQAANjOcAEPdm13YXJlLWRyAAAqIRxsaWJ2bWFjb3JlLnNvAAHpEQFsaWJzc29jbGllbnQuc28AAUQXAgFaHgIBwx8CAYKcAgGsswIB4c0CASMJAwHBLAMAzik0ANJCNADgfUkCsI4AbGlicHRocmVhZC5zby4wAAPf+g9saWJjLnNvLjYA[/context]

VMware Live Recovery 8.x,

VMware Live Recovery 9.x 

The SRM and VRMS services cache the vCenter Single Sign-On (SSO) metadata, which includes the public key of the STS signing certificate.

When the STS certificate is renewed, the old key remains in the appliance's Java resident memory. Consequently, when vCenter issues a new SAML token signed with the new key, the SRM/VRMS client rejects it because it cannot find a matching "verification key" in its stale cache.

Flush Appliance Cache:

• Power off and power on the SRM and VRMS appliances. A full reboot ensures all services (dr-server, hms) re-initialize their trust with the Lookup Service.
• Update Site Trust:
• Log in to the vSphere Client.
• Navigate to Site Recovery > Open Site Recovery.
• Select the affected Site Pair.
• Click Actions > Reconnect.
• You will be prompted to verify and accept the new certificate thumbprints.

Manual Service Restart (If UI is inaccessible):

• If the vSphere Client plugin is not loading, SSH into the appliances as root and run:
• SRM: systemctl restart dr-server
• VRMS: systemctl restart hms

Verify Status:

The site pair status should transition to Connected.

Monitor Protection Groups to ensure they move from "Error" to "OK.

Broadcom KB 316619:

"Signing certificate is not valid" or "No healthy upstream" error in vCenter Server Appliance

If the "Reconnect" fails, verify that the vCenter STS certificate is valid using the checksts.py script on the vCenter Server Appliance.