Monitoring Certificate Expiration

This topic describes how to monitor the expiration of VMware Tanzu^® Operations Manager™ (Ops Manager) certificates using metrics collected by the Healthwatch Exporter for VMware Tanzu^® Application Service™ (TAS for VMs) and Healthwatch Exporter for VMware Tanzu^® Kubernetes Grid™ Integrated Edition (TKGI) tiles.

Overview of Certificate Expiration Monitoring

The metrics in the Certificate Expiration dashboard in the Grafana UI show when Ops Manager certificates are due to expire. These certificates include the Ops Manager root certificate authority (CA) and CredHub-managed leaf certificates for product tiles and BOSH deployments. For more information about these certificates, see the Ops Manager documentation.

Healthwatch Exporter for TAS for VMs and Healthwatch Exporter for TKGI deploy the certificate expiration metric exporter VM, cert-expiration-exporter. The certificate expiration metric exporter VM uses the om CLI to send a GET request with the query parameter ?expires_within=1y to the /api/v0/deployed/certificates Ops Manager API endpoint. The Ops Manager API then returns the expiration dates of all certificates that are due to expire within the next year. The Prometheus instance in your Healthwatch deployment scrapes the certificate expiration metrics from the certificate expiration metric exporter VM and sends them to Grafana. For more information about the /api/v0/deployed/certificates endpoint, see the Ops Manager API documentation.

Note: You cannot configure the certificate expiration metric exporter VM to specify a different time period when it sends a GET request to the /api/v0/deployed/certificates endpoint.

If your BOSH Director deployment uses custom CAs, you can configure them in the Trusted Certificates field in the Security pane of the BOSH Director tile. Configuring custom CAs in the Trusted Certificates field allows all BOSH-deployed components in your deployment to trust custom root certificates. For more information about this field, see the Ops Manager documentation.

If any CAs or leaf certificates for your Ops Manager foundation are due to expire soon, rotate them before they expire to avoid downtime for your foundation. To rotate CAs and leaf certificates, see the Ops Manager documentation.

Reserving a Static IP Address for the Certificate Expiration Metric Exporter VM

You do not need to configure the certificate expiration metric exporter VM for it to collect certificate expiration metrics. However, you can reserve a static IP address for the certificate expiration metric exporter VM.

To configure a static IP address for the certificate expiration metric exporter VM, see the configuration topic for your Healthwatch Exporter tile:

(Optional) Configure TAS for VMs Metric Exporter VMs in Configuring Healthwatch Exporter for TAS for VMs.
(Optional) Configure TKGI and Certificate Expiration Metric Exporter VMs in Configuring Healthwatch Exporter for TKGI.