Retrieves the vCenter Security Token Service (STS) signing certificate.  Per KB79248 "If the vCenter Server was deployed as version 6.5 Update 2 or later, the Security Token Service (STS) signing certificate may have a two-year validity period. Depending on when vCenter was deployed, this may be approaching expiry."

This Powershell script/function will connect to the vCenter(s) specified, and retrieve the STS signing certificates from the vCenter LDAP database with their expiration dates.


  1. Open a Powershell command line, and change to the directory you saved the script in
  2. Use the command: ". ./Get-STSCerts.ps1" to load the function
  3. Run the command: Get-STSCerts -vcenters -user administrator@vsphere.local -password P@$$w0rd
    1. If you don't specify the password, it will prompt you and obfuscate it as you type. 
    2. The user MUST be a local account to vSphere.  It can't be from an external source like AD
    3. The username has to be in the SPN format:
    4. For multiple vCenters, you can create an array of vCenters, and pipe it to the function
      1. $vCenters =  "","",""
      2. $vCenters | -user administrator@vsphere.local -password P@$$w0rd
    5. For help, type "get-help Get-STSCerts" for examples, and details

Sign in to be able to add comments.

Comments 13

7745064710 2 years ago
When I test this againt s vCenter Server 6.5u2 I get an error on line 83 ($ldapconnect.bind)
the error = Exception calling "Bind" with "1" argument(s): "The LDAP server is unavailable."
Is this because I am using the ip address of the vCenter ( cannot use the DNS name because of some firewall rules)


2848342949 2 years ago
Sorry so slow @gertvangorp, I didn't get notified of this message. Can you get through to that server on port 389? It will try to bind to ldap via that port.
4809428091 2 years ago
Thanks for the script. We are trying to monitor all our vCenter servers using this script.
It seems to be working fine for all of them except two, which are not listening on 389 or 636. Any idea where to check/enable that in vCenter?
4809428091 2 years ago
@mcgoo Forgot to mention,
Problematic vCenters are running vCenter 6.7 Build 15505374 and 16243230.
Script is working fine on other vCenters running 6.7 Build 16046713 and 15976728 and 16616668.

The error with problematic ones is the same as what @gertvangorp mentioned.
2243882484 2 years ago
This doesn't work on Powershell Core - you may want to consider making it Powershell Core compatible because that's Microsoft's crossplatform Powershell and not all of us use Windows...
2848342949 2 years ago
@2243882484, I modified the script so the certificate import works in Powershell Core now.
2100669543 2 years ago
There is a mistake in the description:

Run the command: Get-STSCerts -vcenters -user administrator@vsphere.local -password P@$$w0rd

Should be

Run the command: Get-STSCerts -vcenters -user administrator@vsphere.local -password P@$$w0rd

(no dash before the server FQDN, otherwise you will get a Bind error)
2848342949 2 years ago
The typo in the description was fixed per last comment: Run the command: Get-STSCerts -vcenters -user administrator@vsphere.local -password P@$$w0rd
9056090825 2 years ago
Also note that if you are using a distributed (PSC(s) + vCenter) environment, you must point to the PSC(s) not the vCenter... (pointing to vCenter will return a "The LDAP server is unavailable." error)
6742392502 2 years ago

I was able to run the commands in the instruction Point 1 and 2. But getting the below error for point 3. Any suggestion:

Get-STSCerts : The term 'Get-STSCerts' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
2230062077 2 years ago
Can we get the output of the script filtered with expiry date in advance of 30 days
6868968612 1 year ago
To filter the "expiry date" of the certificate, I added a computed value for DaysRemaing (the difference from today to the X509Cert.NotAfter date).

Get-STSCerts -vcenters <vCenter> -user <User> -password <Password> |where {$_.daysremaining -lt 60}

$certificate = "" | Select vCenter,ValidFrom,ValidTo,DaysRemaining,Subject,Issuer
$cert = $request.Entries.attributes['userCertificate'].Item($i)
$X509Cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2(,$cert)
$certificate.vCenter = $vCenter
$certificate.ValidFrom = $X509Cert.NotBefore
$certificate.ValidTo = $X509Cert.NotAfter
$certificate.Subject = $X509Cert.Subject
$certificate.Issuer = $X509Cert.Issuer
$today = get-date
$Expirydate = get-date $X509Cert.NotAfter
$certificate.DaysRemaining = (New-TimeSpan -Start $today -end $Expirydate).days
$certificates += $certificate

6868968612 1 year ago
In addition to my last comment, I also had a situation where the SPN is longer than the default of vsphere.local . I wanted a way to dynamically create the userDN and baseDN for the LDAP queries. I added the lines below to create the DNs based on the length of the SPN.

I am sure there is a more efficient way to do this, but for now it is working.


$userName = $user.Split("@")[0]
$domain = ($user.Split("@")[1]).Split(".")
ForEach ($Index in (0..($Domain.Count - 1) ) ) {$dcName = "dc="+($domain[$index])+","; $DCnameS +=$dcName}
$userDN = "cn=$userName,cn=users,"+($DCnameS.Trim(","))
ForEach ($Index in (0..($Domain.Count - 1) ) ) {$CNname = ($domain[$index])+"." ; $CNnameS+=$CNname }
$completeCN = "cn="+$CNnameS.Trim(".")
$basedn = "cn=TenantCredential-1,$completeCN,cn=Tenants,cn=IdentityManager,cn=Services,"+($DCnameS.Trim(","))