Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

This blog is one of the shortest blog i have written so far , however i have seen a lot of confusion around certificates in vSphere 6 so thought of writing a quick one on this.

The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens.

You can manually refresh the existing Security Token Service certificate from the vSphere Web Client when the certificate expires or changes.

You can replace the existing STS signing certificate vSphere Web Client if your company policy requires it, or if you want to update an expired certificate.


1 Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain.

2 Browse to Administration > Single Sign-On > Configuration.

3 Select the Certificates tab, then the STS Signing sub tab, and click the Add STS Signing Certificate icon.1

4 Click Browse to browse to the key store JKS file that contains the new certificate and  click  open.


If the key store file is valid, the STS certificate table is populated with the certificate information.

5 Click OK.

The new certificate information appears on the STS Signing tab.

Now you should Restart the vSphere Web Client service. You can find all services in the System Configuration area of Administration.