This topic describes the types of certificates used in VMware Tanzu Operations Manager that require planned rotation.

Overview of certificates in Tanzu Operations Manager

Tanzu Operations Manager uses certificate authorities (CAs) and various leaf certificates. CAs are self-signed certificates that issue leaf certificates. CAs can be custom or generated by Tanzu Operations Manager.

Leaf certificates are signed by a CA and are used to identify resources in Tanzu Operations Manager. Both root CAs and leaf certificates require planned rotation in Tanzu Operations Manager.

CAs and leaf certificates are stored in Tanzu Operations Manager or CredHub. You can manage both Tanzu Operations Manager and CredHub certificates with the Tanzu Operations Manager API. You can also manage CredHub certificates with CredHub Maestro.

In addition to the types of certificates listed in this topic, some Tanzu Operations Manager products issue their own tile certificates that are not managed by or visible to the Tanzu Operations Manager API. These tile certificates do not require planned rotation because they rotate automatically with product upgrades.

VMware Tanzu Application Service for VMs (TAS for VMs) and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) both use tile certificates in addition to their Tanzu Operations Manager certificates.

Certificate types

The following types of Tanzu Operations Manager certificates require planned rotation and can be viewed and managed with the Tanzu Operations Manager API:

• Tanzu Operations Manager root CA: The Tanzu Operations Manager root CA issues other certificates that Tanzu Operations Manager uses. The root CA can be an Tanzu Operations Manager-generated CA or your own custom CA. The Tanzu Operations Manager root CA expires four years after creation.

For more information about viewing the root CAs for Tanzu Operations Manager, see Listing the Root certificate authorities in the Tanzu Operations Manager API documentation.

• Other internal CAs: The following CAs are used primarily for internal purposes:

  • BOSH NATS CA: The BOSH NATS CA is rotated automatically when you rotate the Tanzu Operations Manager root CA.
  • BOSH DNS CAs: The BOSH DNS CAs are managed by CredHub and applied automatically.

• Other CredHub-managed certificates: You can also manage CAs and leaf certificates stored in CredHub, such as the Diego root CA. In TKGI v1.9 and later, these include the cluster-specfic kubo_ca_2018 and etcd_ca_2018 CAs and their leaf certificates.

• Non-configurable certificates: Non-configurable certificates are leaf certificates either created by a CA stored in Tanzu Operations Manager, or created and stored by CredHub and managed by Tanzu Operations Manager calls to the CredHub API. Non-configurable certificates are issued directly by the Tanzu Operations Manager root CA, or by intermediate CAs in a chain of trust originated by the root CA. Non-configurable certificates expire after two years.

For more information about about viewing non-configurable leaf certificates, see Getting information about certificates from products in the Tanzu Operations Manager API documentation.

For more information about generating non configurable leaf certificates, see Generating new certificates in the Tanzu Operations Manager API documentation.

• Configurable certificates: Configurable certificates are leaf certificates supplied by the user and pasted into configuration fields in Tanzu Operations Manager. Some configuration panes include a Generate RSA Certificate button that supplies valid certificates, but users can obtain configurable certificates from elsewhere.

• Non-rotatable certificates: Non-rotatable certificates are leaf certificates that, like non-configurable certificates, are issued by the root CA. Unlike non-configurable certificates, non-rotatable certificates cannot be rotated by the Tanzu Operations Manager API.