vCenter Single Sign On provides a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens. You can manually refresh the existing Security Token Service certificate when it expires or changes.

When you use vCenter Single Sign On with vSphere, consider the following types of certificates.

SSL certificates, which are used to establish a secure connection with the Single Sign On server. These certificates are not used to validate tokens or authenticate solutions, and they are not the same SSL certificates that vCenter Server uses.

STS certificates, which are used for Single Sign On token validation.

STS certificates expire or change periodically and you must update or refresh them. In some environments, your system administrator might implement automatic updates of the certificate. Otherwise, you can update the certificate manually using the Single Sign On administration tool.


You must restart the vSphere Web Client service after you refresh the Security Token Service certificate.


Browse to Administration > Sign-On and Discovery > Configuration in the vSphere Web Client.


Select the STS Certificate tab and click Edit.


Click Browse to browse to the key store JKS file that contains the new certificate and click Open.

If the key store file is valid, the STS certificate table is populated with the certificate information.


Click OK.

The new certificate information appears on the STS Certificate tab.

Restart the vSphere Web Client service.