Checking Expiration of STS Certificate on vCenter Servers
Article ID: 318968
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article provides steps to identify the expiry date of the VMware STS certificate.
Notes:
Symptoms:
Notes:
- The certificate expiry alarm does not account for the STS certificate.
- VMware recommends replacing the certificate if it is set to expire within 6 months. If the expiry date will occur in more than six months, schedule the certificate replacement at the appropriate time.
- If the STS certificate is about to expire or if it is already expired, see:
Symptoms:
- VMware Security Token Service (STS) certificate is about to expire.
- VMware Secure Token Service (STS) certificate status check.
Environment
VMware vCenter Server 7.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.5.x
VMware vCenter Server 8.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.5.x
VMware vCenter Server 8.0.x
Cause
Here are the scenarios where STS signing certificate is expected to have a lifetime of around 2 years.
Notes:
Notes:
- Not all 6.5 U2 or later but only 6.5 U2 or later on 6.5 release lines only.
- Fresh installation of PSC/vCenter Server 6.5 starting with U2 or later (6.5 lines only).
- Fresh installation of PSC/vCenter Server 6.5 U2 or any later 6.5 releases and upgraded to a later version including 6.7 and 7.0.
- STS signing certificate has been replaced using certool post-installation of PSC or vCenter Server.
- STS signing certificate has been replaced with custom certificate (Internal/External CA Signed).
Resolution
Important: In vCenter Server version 6.5U3k, 6.7 U3j, or 7.0 U1, you receive a weekly notification when the vCenter Single Sign-On Security Token Service (STS) signing certificate is close to expiration. Notifications start 90 days before the STS certificate expires and turn into daily over the last week before expiration.
To verify the expiry date of your VMware Security Token Service (STS):
To verify the expiry date of your VMware Security Token Service (STS):
HTML 5 client
Note: Available from vCenter Server 7.0 Update2 and later.- Connect to the vSphere HTML5 client through https://vcenter_server_ip_address_or_fqdn/ui.
- From Home Menu, Select Administration.
- Under Certificates, Click on Certificate Management.
- View STS signing Certificate information.
Note: The card will have the following information:
- "Valid until" date which indicates when the certificate will expire.
- A green check for a valid certificate, and an orange check warning of a certificate expiration.
- A View Details link to show additional details of the active certificate chain.
VCSA
- Download the attached checksts.py script attached to this article.
- Upload to attached script to the VCSA or external PSC.
For example, /tmp
Note: You may use WinSCP to upload the script to VCSA. For additional information, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).
If you get an error for connecting to the VCSA via WinSCP run the following command:
chsh -s /bin/bash root as per above the link.
chsh -s /bin/bash root as per above the link.
- Once the script has been successfully uploaded to VCSA, change the directory to /tmp.
For example:
cd /tmp
- Run python checksts.py.
Windows
- Download the attached checksts.py script attached to this article.
- Upload to attached script to the Windows Server on which vCenter Server is installed:
For example %TEMP%
- Once the script has been successfully uploaded to Windows, change the directory to %TEMP%.
- Run "%VMWARE_PYTHON_BIN%" checksts.py.
Web Client Flash
Note: Adobe Flash Player is going End of Life (EOL) on Dec 31, 2020. The major web browser manufacturers have aligned their efforts to disable/stop running Flash applications around this date. For more information on a flash certificate, see VMware Flash End of Life and Supportability (78589).- Connect to the vSphere Web client through https://vcenter_server_ip_address_or_fqdn/vsphere-client.
- Select Administration > Single Sign-On > Configuration > Certificates > STS Signing.
Note: You cannot view the STS certificate from the HTML5 client.
Additional Information
Important: The certificate expiry alarm does not account for the STS certificate. The only method to determine the expiry date of the STS certificate is in the resolution of this article. VMware recommends occasionally check the STS certificate to ensure it does not expire. For additional information, see VMware's vSphere blog:
Signing Certificate is Not Valid – Security Token Service Certificate Issue in vSphere.
Download/replace or change/create STS certificate: For more information on Status Alarms for certificates other than STS certificates, see CertificateStatusAlarm - There are certificate that expired or about to expire / Certificate Status Change Alarm Triggered on VMware vCenter Server.
VMware Skyline Health Diagnostics for vSphere - FAQ
"503 Service Unavailable" error on the vSphere Web Client when logging in or accessing the vCenter Server
Signing Certificate is Not Valid – Security Token Service Certificate Issue in vSphere.
Download/replace or change/create STS certificate: For more information on Status Alarms for certificates other than STS certificates, see CertificateStatusAlarm - There are certificate that expired or about to expire / Certificate Status Change Alarm Triggered on VMware vCenter Server.
VMware Skyline Health Diagnostics for vSphere - FAQ
"503 Service Unavailable" error on the vSphere Web Client when logging in or accessing the vCenter Server
Attachments
Feedback
Yes
No
Powered by
