ou're correct running Option 8 in the certificate-manager regenerates all certificates except the STS certificate. That one needs to be refreshed manually via the vSphere Client.
Yes, the right process for the STS cert is:
vSphere Client → Administration → Certificate Management → STS Certificates → Actions → "Refresh STS Root Certificate", and select "Use vCenter Machine Certificate".
This will update the STS chain to match the machine cert, including the new root. It's critical that the STS cert's validity period aligns with the Machine SSL certificate, otherwise host trust issues will persist which explains the red/critical status you're seeing.
To confirm the environment is using the new cert:
-
From the vCenter shell, run:
and check the validity period and issuer.
-
You can also validate the STS cert itself:
If you still see multiple root certs under "Trusted Root Chains", that's fine vCenter keeps old ones until they're explicitly removed. What matters is that the active chain (used for STS and machine certs) matches the newly issued root.
Original Message:
Sent: Jun 06, 2025 01:51 PM
From: scale21
Subject: vcenter 7.0u3v Self Signed certfiicate upgrade
All of my self signed certs including the trusted root certs are going to expire in the next week.
I was instructed to run the cert manager via option 8 to get all certs replaced.
This did update all certs in vcenter but didt not update the STS cert. Do i just need need to go to vcenter-->administration-->certificate management-->click my sts certificate -->actions and choose refresh with vcenter certificate? I assume that means it will refresh with the _Machine-Cert with the new date to match it.
IS this the proper process for the STS one? The tech i am working with is out today (of course). I have tried to escalate the case a couple of times have asked for an update 3 or 4 times and havent heard back yet.
Also when running option 8 i can see that it generated a new trusted root cert. The other 2 that were there prior are still there. How can i tell if the environment is using the new cert for sure?
Right now all my hosts are still showing red/critical due to the certificate. I assume this is due to the STS cert date not updating yet but i want to rule out that it is reading the correct trusted root cert and not one of the old ones that is listed.