A common issue seen by VMware Support is when SSL certificates expire. In vCenter Server 5.1 and 5.5 recovering from expired certificates (without re-installing) requires a very specific set of instructions otherwise you may end up needing to re-install.
Ideally you remember that your vCenter Server certificates are due for expiration and replace them before that D-Day, however if they do lapse then the following KB articles are your friends.
There is still one more certificate that can trip you up, and that is the STS certificate. This one isn’t replaced by any of the SSL Automation Tools provided by VMware and VMware does not typically advise replacing this one with your own certificate unless absolutely required.
If you do find that your custom STS certificate is expired, the following steps will restore it back to a default certificate. You should perform this before attempting to replace the remaining certificates. This process is only for vCenter Server 5.5
vCenter Server 5.5
1. Open a command prompt as Administrator on the machine running SSO
2. Stop the STS Service
net stop VMwareSTS
3. Navigate to the following directory
4. Run the following command to restore the STS certificate to it’s default.
"c:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\bin\java.exe" -cp "c:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\*;c:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\*;.;*" com.vmware.identity.installer.STSInstaller --install --root-cert-path ssoserverRoot.crt --cert-path ssoserverSign.crt --private-key-path ssoserverSign.key --retry-count 2 --retry-interval 30
5. Start the STS Service
net start VMwareSTS
vCenter Server Appliance 5.5
1 Connect to the vCenter Server Appliance via SSH as root
2 Set the following variables
export JAVA_BIN=/usr/java/jre-vmware/bin/java export CLASSPATH=/opt/vmware/lib64/*:/usr/lib/vmware-sso/commonlib/* export _SSO_ROOT_CERT_X509=/etc/vmware-sso/keys/ssoserverRoot.crt export _SSO_SIGNING_LEAF_CERT_X509=/etc/vmware-sso/keys/ssoserverSign.crt export _SSO_SIGNING_LEAF_CERT_KEY=/etc/vmware-sso/keys/ssoserverSign.key
3 Run the following command to restore the STS certificate to it’s default.
$JAVA_BIN -cp $CLASSPATH com.vmware.identity.installer.STSInstaller --install --root-cert-path "$_SSO_ROOT_CERT_X509" --cert-path "$_SSO_SIGNING_LEAF_CERT_X509" --private-key-path "$_SSO_SIGNING_LEAF_CERT_KEY"
4. Reboot the vCenter Server Appliance