Expired vCenter Server 5.x Certificates

A common issue seen by VMware Support is when SSL certificates expire. In vCenter Server 5.1 and 5.5 recovering from expired certificates (without re-installing) requires a very specific set of instructions otherwise you may end up needing to re-install.

Ideally you remember that your vCenter Server certificates are due for expiration and replace them before that D-Day, however if they do lapse then the following KB articles are your friends.

Recovering from expired SSL Certificates in VMware vCenter Server 5.5 (2096030)

Recovering from expired SSL Certificates in VMware vCenter Server 5.1 (2097692)

Recovering expired SSL Certificates in VMware vCenter Server Appliance 5.5.x (2097934)

STS Certificate

There is still one more certificate that can trip you up, and that is the STS certificate. This one isn’t replaced by any of the SSL Automation Tools provided by VMware and VMware does not typically advise replacing this one with your own certificate unless absolutely required.

If you do find that your custom STS certificate is expired, the following steps will restore it back to a default certificate. You should perform this before attempting to replace the remaining certificates. This process is only for vCenter Server 5.5

vCenter Server 5.5

1. Open a command prompt as Administrator on the machine running SSO

2. Stop the STS Service

net stop VMwareSTS

3. Navigate to the following directory

cd c:\ProgramData\VMware\CIS\cfg\vmware-sso

4. Run the following command to restore the STS certificate to it’s default.

"c:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\bin\java.exe" -cp "c:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\*;c:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\*;.;*" com.vmware.identity.installer.STSInstaller --install --root-cert-path ssoserverRoot.crt --cert-path ssoserverSign.crt --private-key-path ssoserverSign.key --retry-count 2 --retry-interval 30

5. Start the STS Service

net start VMwareSTS

vCenter Server Appliance 5.5

1 Connect to the vCenter Server Appliance via SSH as root

2 Set the following variables

export JAVA_BIN=/usr/java/jre-vmware/bin/java
export CLASSPATH=/opt/vmware/lib64/*:/usr/lib/vmware-sso/commonlib/*
export _SSO_ROOT_CERT_X509=/etc/vmware-sso/keys/ssoserverRoot.crt
export _SSO_SIGNING_LEAF_CERT_X509=/etc/vmware-sso/keys/ssoserverSign.crt
export _SSO_SIGNING_LEAF_CERT_KEY=/etc/vmware-sso/keys/ssoserverSign.key

3 Run the following command to restore the STS certificate to it’s default.

$JAVA_BIN -cp $CLASSPATH com.vmware.identity.installer.STSInstaller --install --root-cert-path "$_SSO_ROOT_CERT_X509" --cert-path "$_SSO_SIGNING_LEAF_CERT_X509" --private-key-path "$_SSO_SIGNING_LEAF_CERT_KEY"

4. Reboot the vCenter Server Appliance


2 thoughts on “Expired vCenter Server 5.x Certificates”

  1. I get error:

    java.lang.IllegalArgumentException: Entry ssoserverRoot.crt not found in store

    Any ideas why that would be?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: