Get-STSCerts.ps1

Retrieves the vCenter Security Token Service (STS) signing certificate.  Per KB79248 "If the vCenter Server was deployed as version 6.5 Update 2 or later, the Security Token Service (STS) signing certificate may have a two-year validity period. Depending on when vCenter was deployed, this may be approaching expiry."

This Powershell script/function will connect to the vCenter(s) specified, and retrieve the STS signing certificates from the vCenter LDAP database with their expiration dates.

Instructions:

  1. Open a Powershell command line, and change to the directory you saved the script in
  2. Use the command: ". ./Get-STSCerts.ps1" to load the function
  3. Run the command: Get-STSCerts -vcenters -vcenter.domain.com -user administrator@vsphere.local -password P@$$w0rd
    1. If you don't specify the password, it will prompt you and obfuscate it as you type. 
    2. The user MUST be a local account to vSphere.  It can't be from an external source like AD
    3. The username has to be in the SPN format: username@domain.com
    4. For multiple vCenters, you can create an array of vCenters, and pipe it to the function
      1. $vCenters =  "vcenter1.domain.com","vcenter2.domain.com","vcenter3.domain.com"
      2. $vCenters | -user administrator@vsphere.local -password P@$$w0rd
    5. For help, type "get-help Get-STSCerts" for examples, and details

Sign in to be able to add comments.

Comments 5


gertvangorp 2 months ago
Hi,
When I test this againt s vCenter Server 6.5u2 I get an error on line 83 ($ldapconnect.bind)
the error = Exception calling "Bind" with "1" argument(s): "The LDAP server is unavailable."
Is this because I am using the ip address of the vCenter ( cannot use the DNS name because of some firewall rules)

thanks

Gert
McGoo 1 month ago
Sorry so slow @gertvangorp, I didn't get notified of this message. Can you get through to that server on port 389? It will try to bind to ldap via that port.
AbhinavGupta 1 month ago
Thanks for the script. We are trying to monitor all our vCenter servers using this script.
It seems to be working fine for all of them except two, which are not listening on 389 or 636. Any idea where to check/enable that in vCenter?
AbhinavGupta 1 month ago
@mcgoo Forgot to mention,
Problematic vCenters are running vCenter 6.7 Build 15505374 and 16243230.
Script is working fine on other vCenters running 6.7 Build 16046713 and 15976728 and 16616668.

The error with problematic ones is the same as what @gertvangorp mentioned.
teward 21 days ago
This doesn't work on Powershell Core - you may want to consider making it Powershell Core compatible because that's Microsoft's crossplatform Powershell and not all of us use Windows...