Checking Expiration of STS Certificate on vCenter Server (79248)

 Symptoms

If the vCenter Server was deployed as version 6.5 Update 2 or later, the Security Token Service (STS) signing certificate may have a two-year validity period. Depending on when vCenter was deployed, this may be approaching expiry.

Note: vCenter Server does not refresh STS certificates on upgrades.

Purpose
Provide steps to identify the expiry date of the STS certificate. The certificate expiry alarm does not account for the STS certificate.
Cause
When the STS certificate expires, it does so without warning. On some systems, this expiry may occur as soon as two years from initial deployment.

Notes:
  • Here are the scenarios where STS signing certificate is expected to have life time around 2 years.
  • Not all 6.5 U2 or later but only 6.5 U2 or later on 6.5 release lines only.
    • Fresh installation of PSC/vCenter Server 6.5 starting with U2 or later (6.5 lines only).
    • Freshly installed PSC/vCenter Server 6.5 U2 or any later 6.5 releases and upgraded to a later version including 6.7 and 7.0.
    • STS signing certificate has been replaced using certool post installation of PSC or vCenter Server.
    • STS signing certificate has been replaced with custom certificate (Internal/External CA Signed).
Resolution
To verify the STS certificate expiry date use one of the following methods.  If the certificate is near expiry, follow "Signing certificate is not valid" - Regenerating and replacing expired STS certificate using shell script on vCenter Server Appliance 6.5/6.7 or "Signing certificate is not valid" - Regenerating and replacing expired STS certificate using PowerShell script on vCenter Server 6.5/6.7 installed on Windows to resolve the issue.  VMware recommends replacing the certificate if it set to expire within 6 months.  If expiry will occur in more than six months, schedule certificate replacement at the appropriate time.

Web Client (Flash)
  1. Connect to the vSphere Web client: https://vcenter_server_ip_address_or_fqdn/vsphere-client
  2. Select Administrator > Single Sign-On > Configuration > Certificates > STS Signing

Note: The STS certificate cannot be viewed from the HTML5 client

Script
  1. Download the checksts.py script attached to this kb
  2. Upload to vCenter Server or external PSC.  For example, /tmp on the VCSA or %TEMP% on Windows (You may use WinSCP to upload the script to VCSA, refer to KB Error when uploading files to vCenter Server Appliance using WinSCP if connection fails using WinSCP)
  3. Change into the /tmp directory using: cd /tmp
  4. Run python checksts.py
    • For Windows, run "%VMWARE_PYTHON_BIN%" checksts.py
Appliance:


Windows:

Post a Comment

0 Comments