To resolve this issue:
- Download the attached "fixsts.ps1" from this article and upload to affected PSC or VC with embedded PSC on C:\Temp or any other folder available.
- If the vCenter Server version is lower than 6.7 Update 3g, download the attached "vmware-identity-sso-config67u3g.jar" from this article and upload to affected PSC or VC with embedded PSC in the same folder as step 1.
- Open a Powershell Session as administrator (Start > Search> Powershell > Run as administrator).
- Change directory to the folder in which you uploaded the file using cd "path to file" .
- run ./fixsts.ps1.
- Restart services on all vCenters and/or PSCs in your SSO domain.
- Replace any other expired certificates you might have, using certificate manager as shown in How to use vSphere Certificate Manager to Replace SSL Certificates.
The following one-liner can determine other expired certificates for the Windows vCenter Server, this command needs to be executed in PowerShell :
$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CIS_HOME%");foreach ($STORE in & "$VCInstallHome\vmafdd\vecs-cli" store list){Write-host STORE: $STORE;& "$VCInstallHome\vmafdd\vecs-cli" entry list --store $STORE --text | findstr /C:"Alias" /C:"Not After"}
Note: If you replaced Machine SSL or VMCA Root certificates, you will need to re-register 2nd party solutions such as NSX, SRM, and vSphere Replication.
Note: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure.
The script will ask for the SSO administrator password and then proceed to regenerate and replace STS certificate.
This is an example of a successful output
Generating New STS Certificate
Status : Success
Using config file : C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg
Status : Success
User DN is: cn=administrator,cn=users,dc=vsphere,dc=local
Successfully deleted cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
Successfully deleted cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
vCenter Server Version is 6.7.0.31555 Build 16046470
All STS Tenant branches deleted!
Re-creating STS tenant
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/C:/Program%20Files/VMware/vCenter%20Server/VMware%20Identity%20Services/log4j-slf4j-impl-2.11.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/Program%20Files/VMware/vCenter%20Server/VMware%20Identity%20Services/slf4j-log4j12-1.6.4.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/ProgramData/VMware/vCenterServer/runtime/VMwareSTSService/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.11.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/ProgramData/VMware/vCenterServer/runtime/VMwareSTSService/webapps/ROOT/WEB-INF/lib/slf4j-log4j12-1.7.26.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
STS Certificate Replaced Successfully!!, please restart the services
Since the STS certificate has been replaced, you may need to re-register external solutions (SRM, NSX, etc.)