[How-To] Renew the STS Signing Root Certificate in vCenter

I recently had a call from a customer that received multiple alerts about their ESXi Hosts certificate was about to expire. This was unusual because this environment, like many others, lets the VCMA (VMware Certificate Management Authority) handle the Host certificates and this means the certificate renewal happens automatically.

Root-Cause: STS Signing Certificate Expiration

Upon investigating the environment it became clear what was happening. The Root Certificate that was used to issue the certificates was about to expire. This meant that all Certificates it issued would only be valid until the expiration date of the CA Root Certificate.

Renewing the CA STS Signing Root Certificate

The following are the commands used to renew that certificate. Please make sure to take a snapshot of your vCenter before issuing these commands.

cp /usr/lib/vmware-vmca/share/config/certool.cfg /tmp/vcma.cfg cd /usr/lib/vmware-vmca/bin/ ./certool --genselfcacert --outprivkey /tmp/key.key --outcert /tmp/vcma.cer --config /tmp/vcma.cfg ./certool --rootca --cert /tmp/vcma.cer --privkey /tmp/key.key service-control --stop --all service-control --start vmafdd service-control --start vmdird service-control --start vmcad /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /tmp/vcma.cer service-control --start --all

First we copy the template to /tmp/vcma.cfg. Then we change directory to where the tool “certool” is located (not to be confused with the command certtool!).

Next we’ll use that command to generate a CA Certificate where we output the key and the certficate to the /tmp folder. We’ll use the template we copied as the config.

Then we set the Root CA command by pointing to the certificate we just generated.

Afterwards we stop all services, except for three services that we need and then we publish our new certficate to the trusted Certificates store.

As the last command we start the rest of the services again.

After doing these steps we can click “Refresh with vCenter Certificate” and then should see a new Certificate that is valid for ten years.

Next Steps

If you’re interested in more of the advanced Features of vSphere, VCF or any other VMware product feel free to reach out to us at any time. We will be at VMware Explore 2025 in Las Vegas, hit us up on LinkedIn to meetup for a chat.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

[How-To] Renew the STS Signing Root Certificate in vCenter