If you're managing a VMware environment, keeping your vCenter STS (Security Token Service) signing certificate valid is crucial for SSO (Single Sign-On) functionality. An expired STS certificate can lead to vSphere Client login failures and service disruptions.
In this guide, I’ll walk you through three different methods to renew the STS signing certificate in vCenter, depending on your environment’s current state.
Important: Before proceeding with any of the methods below, it's highly recommended to take a snapshot of your vCenter Server Appliance (VCSA). This provides a rollback point in case something goes wrong during the certificate renewal process.{alertWarning}
Method 1: Renew STS Certificate from the vSphere Web Client (If Not Yet Expired)
This is the easiest and cleanest method, ideal when the STS certificate is still valid but nearing expiration.
Steps:
- Log into the vSphere Web Client.
- From the Home menu, go to Administration.
- Under the Certificates section, select Certificate Management.
- Locate and review the STS Signing Certificate details.
- Click on the drop-down menu next to the certificate and choose Refresh Certificate.
- If successful, the STS certificate will be renewed automatically.
Method 2: Renew Using VCSA CLI with fixsts.sh Script (If Certificate Has Expired and Web UI Is Inaccessible)
This method is useful when the STS certificate has already expired, preventing access to the vSphere client.
Steps:
- Download the following two scripts from the Broadcom Knowledge Base (checksts.py and fixsts.sh).
- Transfer both scripts to the VCSA’s /tmp directory using tools like WinSCP or MobaXterm.
- Connect to the VCSA via SSH by root account, then run:
cd /tmp{codeBox}
- Check the current STS certificate status:
python checksts.py{codeBox}
If expiration is confirmed, continue to the next step. - Make the fix script executable:
chmod +x fixsts.sh{codeBox}
- Run the fix script:
./fixsts.sh{codeBox}
- When prompted, enter the SSO Administrator Password (usually [email protected]).
- Once completed, the STS certificate should be renewed successfully.
Method 3: Renew Using vCert.py Script via CLI (Advanced Option)
An alternative CLI-based method that offers a more guided experience through a menu-driven interface.
Steps:
- Download the following scripts from the Broadcom Knowledge Base (checksts.py and vCert.py)
- Upload both to the /tmp directory on your VCSA using WinSCP or similar.
- Connect via SSH by root account and navigate:
cd /tmp{codeBox}
- Verify the certificate status:
python checksts.py{codeBox}
If the STS certificate is expired, proceed. - Decompress vCert.zip file using the following command:
unzip -q vCert-6.0.0-20250218.zip{codeBox}
- Navigate inside the decompressed folder:
cd vCert-6.0.0-20250218{codeBox}
- Start the vCert utility:
./vCert.py{codeBox}
- Accept the warning prompt by typing Y.
- From the menu, select Manage Certificates.
- Then choose STS Signing Certificates.
- Follow the prompts to complete the certificate regeneration process. You can opt for a custom CA-signed certificate, but in most environments, the default VMCA-signed certificate is sufficient.
- Once the process completes, return to the main menu and choose Restart Services
- Then select Restart all VMware Services
- Once services are restarted, open the vCenter Web Client and try logging in again.
Note: All scripts used in this guide are sourced and brought from Broadcom’s official VMware Knowledge Base (KB79248 and KB385107).{alertInfo}
Renewing your STS certificate before it expires is a best practice to ensure service availability and smooth SSO operations. Hopefully, one of the above methods helps get your vCenter back on track quickly.
Let me know in the comments if you've any inquiry or encountered any issue.