This topic describes the types of certificates used in VMware Tanzu Operations Manager that require planned rotation.
Tanzu Operations Manager uses certificate authorities (CAs) and various leaf certificates. CAs are self-signed certificates that issue leaf certificates. CAs can be custom or generated by Tanzu Operations Manager.
Leaf certificates are signed by a CA and are used to identify resources in Tanzu Operations Manager. Both root CAs and leaf certificates require planned rotation in Tanzu Operations Manager.
CAs and leaf certificates are stored in Tanzu Operations Manager or CredHub. You can manage both Tanzu Operations Manager and CredHub certificates with the Tanzu Operations Manager API. You can also manage CredHub certificates with CredHub Maestro.
In addition to the types of certificates listed in this topic, some Tanzu Operations Manager products issue their own tile certificates that are not managed by or visible to the Tanzu Operations Manager API. These tile certificates do not require planned rotation because they rotate automatically with product upgrades.
VMware Tanzu Application Service for VMs (TAS for VMs) and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) both use tile certificates in addition to their Tanzu Operations Manager certificates.
The following types of Tanzu Operations Manager certificates require planned rotation and can be viewed and managed with the Tanzu Operations Manager API:
For more information about viewing the root CAs for Tanzu Operations Manager, see Listing the Root certificate authorities in the Tanzu Operations Manager API documentation.
Other internal CAs: The following CAs are used primarily for internal purposes:
Other CredHub-managed certificates: You can also manage CAs and leaf certificates stored in CredHub, such as the Diego root CA. In TKGI v1.9 and later, these include the cluster-specfic kubo_ca_2018
and etcd_ca_2018
CAs and their leaf certificates.
Non-configurable certificates: Non-configurable certificates are leaf certificates either created by a CA stored in Tanzu Operations Manager, or created and stored by CredHub and managed by Tanzu Operations Manager calls to the CredHub API. Non-configurable certificates are issued directly by the Tanzu Operations Manager root CA, or by intermediate CAs in a chain of trust originated by the root CA. Non-configurable certificates expire after two years.
For more information about about viewing non-configurable leaf certificates, see Managing certificates with the Tanzu Operations Manager API.
Configurable certificates: Configurable certificates are leaf certificates supplied by the user and pasted into configuration fields in Tanzu Operations Manager. Some configuration panes include a Generate RSA Certificate button that supplies valid certificates, but users can obtain configurable certificates from elsewhere.
Non-rotatable certificates: Non-rotatable certificates are leaf certificates that, like non-configurable certificates, are issued by the root CA. Unlike non-configurable certificates, non-rotatable certificates cannot be rotated by the Tanzu Operations Manager API.