Hi dbaker,
You're unfortunately hitting a known limitation with vCenter 6.0 and external PSC when the STS certificate (10-year validity) expires. Once expired, vCenter services like the inventory service won't start, and VMCA can't reissue the STS cert because it's not designed to do so.
There is no supported way to recover from an expired STS certificate in vSphere 6.0 with external PSC. The only viable option is a full rebuild. Since you mentioned you have no backup and legacy dependencies, I'd strongly recommend rebuilding using the same hostnames and IPs to avoid breaking integrations (like vCD and VDS).
Keep in mind: new vCenter instances will generate new UUIDs and MOIDs, so pre-existing vCD objects won't be recognized. You'll likely need to recreate the vCenter to vCD provider mapping. Re-adding the old vCenter will not preserve object references.
Unfortunately, there is no shortcut or supported fix once the STS cert has expired in this setup.
Original Message:
Sent: May 07, 2025 04:35 AM
From: dbaker999
Subject: vCenter 6.0 with External PSC - STS certificate expired and needs rebuild!
I've got a tricky situation with a windows-based vCenter 6.0 environment with external PSC. The STS certificate appears to have expired (it's a 10 year validity) and the vCenter server services won't start (specifically, the inventory service). I can assure you we have tried all manner of KB's from Broadcom to try and identify the cert, renew it - from scripts, certificate-manager, vecs-cli.exe utility and so on, including using VMCA to sign a custom CSR to create a new root certificate. In all attempts, we find that the VMCA can't renew the certificates assigned to the services on the PSC, which is indicative of the STS cert having expired.
Anyhow, we are now in the position that we need to rebuild the environment. We have no backup (don't ask!) of vCenter. There is the adjoining SQL database available. We have vCenter 5.5 binaries. This environment has legacy dependency's so it's not possible to upgrade to later vCenter - I know, burning platform, no support from Broadcom, production systems = asking for trouble.
Has anyone performed this type of task or has any suggestions on how to approach it? There is some vCloud Director integration as we can see several VDS configured on the esxi hosts, as well as various other distrributed port groups/switches - presumably, if we rebuild vCenter the vDS and integration to vCD will be broken because the new vCenter will assign different UID's to those objects? Will VC ingest the pre-existing objects if we simply uninstall the PSC+VC and reinstall it all?
Any guidance would be welcomed.
Thanks