HQY 一个和谐有爱的空间

This article provides steps to identify the expiry date of the VMware STS certificate.

• VMware Security Token Service (STS) certificate is about to expire.

• VMware Secure Token Service (STS) certificate status check.

Notes: 

• VMware recommends replacing the certificate if it is set to expire within 6 months. If the expiry date will occur in more than six months, schedule the certificate replacement at the appropriate time.

• If the STS certificate is about to expire or if it is already expired, see:

• "Signing certificate is not valid" error in vCenter Server Appliance

• "Signing certificate is not valid" error in vCenter Server 6.5.x and 6.7.x on Windows

Here are the scenarios where STS signing certificate is expected to have a lifetime of around 2 years.

• Fresh installation of PSC/vCenter Server 6.5 U2 or any later 6.5 releases and upgraded to a later version including 6.7 and 7.0.

• STS signing certificate has been replaced using certool post-installation of vCenter Server.

• STS signing certificate has been replaced with custom certificate (Internal/External CA Signed).

Important: In vCenter Server version 7.0 U1, you receive a weekly notification when the vCenter Single Sign-On Security Token Service (STS) signing certificate is close to expiration. Notifications start 90 days before the STS certificate expires and turn into daily over the last week before expiration.

To verify the expiry date of your VMware Security Token Service (STS):

From VC vSphere client UI

Note: Available from vCenter Server 7.0 Update2 and later.

1. Connect to the vSphere HTML5 client through https://vcenter_server_ip_address_or_fqdn/ui.

2. From Home Menu, Select Administration.

3. Under Certificates, Click on Certificate Management.

4. View STS signing Certificate information.

• "Valid until" date which indicates when the certificate will expire.

• A green check for a valid certificate, and an orange check warning of a certificate expiration.

• A View Details link to show additional details of the active certificate chain.
  
  

VCSA CLI - If STS cert has already expired, making the vSphere client inaccessible.

1. Download the attached checksts.py script attached to this article.

2. Upload the script to the VCSA. 
   
   For example: /tmp
   
   Note: You may use WinSCP to upload the script to VCSA.

• 
  

• If you receive an error for connecting to the VCSA via WinSCP run the following command from the VCSA CLI:
  
  chsh -s /bin/bash root (per Connecting to vCenter Server Virtual Appliance using WinSCP fails with the error: Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B)

3. Once the script has been successfully uploaded to VCSA, change the directory to /tmp.
   
   For example: cd /tmp
    

4. Run python checksts.py.
   
   

Important: The certificate expiry alarm does not account for the STS certificate. There is a separate alarm for the STS certificate status. The only method to determine the expiry date of the STS certificate is in the resolution of this article. VMware recommends occasionally check the STS certificate to ensure it does not expire. For additional information, see VMware's vSphere blog:
Signing Certificate is Not Valid – Security Token Service Certificate Issue in vSphere.

Main certificates article: For more information on Status Alarms for certificates, see CertificateStatusAlarm - There are certificate that expired or about to expire / Certificate Status Change Alarm Triggered on VMware vCenter Server.

VMware Skyline Health Diagnostics for vSphere - FAQ
Error "503 Service Unavailable" when attempting to access vCenter Server vSphere Client