In an environment with a vCenter Server Appliance (VCSA) 6.5.x, 6.7.x or vCenter Server 7.0.x, you can experience that the Security Token Service (STS) signing certificates expiring as soon as two years from the initial deployment. If expired, it can cause that you aren’t able to log in to vSphere Client or the vmware-vpxd service to fail to start. You can also have problems with replacing any other certificate on PSC or VCSA.

When the STS certificate expires, it does so without warning.

In order to resolve it first download script mentioned in KB79248 and script mentioned in KB76719 . Upload them to the VCSA through WinSCP:

(if you get an error for connecting to the VCSA via WinSCP just run the following command: chsh -s /bin/bash root).

After successfully upload, log in with ssh to the VCSA and move to the directory where you placed your script (in my case /tmp).

Run the script with the following command:


In my environment, STS certificate is about to expire in 19 days.

So I am going to replace it. First of all, take an offline snapshot concurrently for all vCenter Servers and Platform Service Controllers in the SSO domain before running the script. Failing to do so may result in an unrecoverable error and will require redeploying your vCenter Servers.

Connect to the ESXi Host where your VCSA VM resides, shut the VM down, and when offline take a snapshot.

Navigate to the /tmp directory:

and run:

 chmod +x

to make the file executable.

After that run script with a ./ command:

The script will ask for the SSO administrator password and then proceed to regenerate and replace STS certificate. Type administrator password in:

if everything went smooth and without errors, you will see the following:

now, restart services on all your vCenters and/or PSCs in your SSO domain by using below commands:

service-control --stop --all
service-control --start --all

If you do a final check, you will see that STS certificates expiration date on all your vCenters is extended for 2  years: