Sample Exchange

 View Only


May 28, 2020 07:39 PM

Retrieves the vCenter Security Token Service (STS) signing certificate.  Per KB79248 "If the vCenter Server was deployed as version 6.5 Update 2 or later, the Security Token Service (STS) signing certificate may have a two-year validity period. Depending on when vCenter was deployed, this may be approaching expiry."

This Powershell script/function will connect to the vCenter(s) specified, and retrieve the STS signing certificates from the vCenter LDAP database with their expiration dates.


  1. Open a Powershell command line, and change to the directory you saved the script in
  2. Use the command: ". ./Get-STSCerts.ps1" to load the function
  3. Run the command: Get-STSCerts -vcenters -user administrator@vsphere.local -password P@$$w0rd
    1. If you don't specify the password, it will prompt you and obfuscate it as you type. 
    2. The user MUST be a local account to vSphere.  It can't be from an external source like AD
    3. The username has to be in the SPN format:
    4. For multiple vCenters, you can create an array of vCenters, and pipe it to the function
      1. $vCenters =  "","",""
      2. $vCenters | -user administrator@vsphere.local -password P@$$w0rd
    5. For help, type "get-help Get-STSCerts" for examples, and details


0 Favorited
1 Files
ps1 file
Get-STSCerts.ps1   5 KB   1 version
Uploaded - Apr 09, 2024

Tags and Keywords


Aug 18, 2021 06:54 PM

In addition to my last comment, I also had a situation where the SPN is longer than the default of vsphere.local . I wanted a way to dynamically create the userDN and baseDN for the LDAP queries. I added the lines below to create the DNs based on the length of the SPN.
I am sure there is a more efficient way to do this, but for now it is working.

Aug 18, 2021 05:17 PM

To filter the "expiry date" of the certificate, I added a computed value for DaysRemaing (the difference from today to the X509Cert.NotAfter date).
Get-STSCerts -vcenters

Mar 30, 2021 11:47 AM

Can we get the output of the script filtered with expiry date in advance of 30 days

Dec 18, 2020 05:05 PM

I was able to run the commands in the instruction Point 1 and 2. But getting the below error for point 3. Any suggestion:
Get-STSCerts : The term 'Get-STSCerts' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1

Dec 14, 2020 10:18 PM

Also note that if you are using a distributed (PSC(s) + vCenter) environment, you must point to the PSC(s) not the vCenter... (pointing to vCenter will return a "The LDAP server is unavailable." error)

Nov 24, 2020 01:47 PM

The typo in the description was fixed per last comment: Run the command: Get-STSCerts -vcenters -user administrator@vsphere.local -password P@$$w0rd

Nov 09, 2020 10:29 AM

There is a mistake in the description:
Run the command: Get-STSCerts -vcenters -user administrator@vsphere.local -password P@$$w0rd
Should be
Run the command: Get-STSCerts -vcenters -user administrator@vsphere.local -password P@$$w0rd
(no dash before the server FQDN, otherwise you will get a Bind error)

Nov 06, 2020 08:11 PM

@2243882484, I modified the script so the certificate import works in Powershell Core now.

Oct 06, 2020 03:42 PM

This doesn't work on Powershell Core - you may want to consider making it Powershell Core compatible because that's Microsoft's crossplatform Powershell and not all of us use Windows...

Sep 14, 2020 02:10 PM

@mcgoo Forgot to mention,
Problematic vCenters are running vCenter 6.7 Build 15505374 and 16243230.
Script is working fine on other vCenters running 6.7 Build 16046713 and 15976728 and 16616668.
The error with problematic ones is the same as what @gertvangorp mentioned.

Sep 14, 2020 11:46 AM

Thanks for the script. We are trying to monitor all our vCenter servers using this script.
It seems to be working fine for all of them except two, which are not listening on 389 or 636. Any idea where to check/enable that in vCenter?

Sep 03, 2020 12:40 PM

Sorry so slow @gertvangorp, I didn't get notified of this message. Can you get through to that server on port 389? It will try to bind to ldap via that port.

Aug 11, 2020 02:02 PM

When I test this againt s vCenter Server 6.5u2 I get an error on line 83 ($ldapconnect.bind)
the error = Exception calling "Bind" with "1" argument(s): "The LDAP server is unavailable."
Is this because I am using the ip address of the vCenter ( cannot use the DNS name because of some firewall rules)

Related Entries and Links

No Related Resource entered.