Refresh a vCenter Server STS Certificate Using the vSphere Client

Today my vCenter Server warned my that my STS Signing Certificates are about to expire. Which is good as if STS certificate expire then access to vCenter will be unavailable. If you got caught on this please read this article to resolve your issue.

You can refresh your vCenter Server STS signing certificates using the vSphere Client. The VMware Certificate Authority (VMCA) issues a new certificate and replaces the current certificate.

NOTE: If you are using a custom generated or third-party STS signing certificate, the refresh overwrites that certificate with a VMCA-issued certificate. 

To update custom generated or third-party STS signing certificates, use the import and replace option. See Import and Replace a vCenter Server STS Certificate Using the vSphere Client.

To refresh STS signing certificate please follow:

  1. Login with the vSphere Client to the vCenter Server
  2. Navigate to the Certificate Management UI:
    • From the Home menu, select Administration.
    • Under Certificates, click Certificate Management.
  1. Under STS Signing Certificate, click Actions > Refresh with vCenter certificate
  1. Click REFREHS

NOTE: You may see the Force Refresh. If so, please consider:

  • If all the impacted vCenter Server systems are not running at least vSphere 7.0 Update 3, they do not support the certificate refresh
  • Selecting Force Refresh requires that you restart all vCenter Server systems and can render those systems inoperable until you do so.
  • If you are unsure of the impact, click Cancel and research your environment.
  • If you are sure of the impact, click Force Refresh to proceed with the refresh then manually restart your vCenter Server systems.

Please like and share to spread the knowledge in the community.

If you want to chat with me please use Twitter: @AngrySysOps

Visit my FB page:

Read my blog:

Subscribe to my channel :

Please leave the comment