This topic describes how to check the expiration dates and types of the certificate authorities (CAs) and leaf certificates that the VMware Tanzu Operations Manager (Ops Manager) API manages. After identifying the types of certificates that expire soon, you can determine which certificate rotation procedure to follow.

Overview

There are two ways to manually check the expiration dates and types of the certificates that the Ops Manager API manages:

• Through the Ops Manager UI. For more information, see Check Expiration Dates and Certificate Types Through the Ops Manager UI below.

• Through the Ops Manager API. For more information, see Check Expiration Dates and Certificate Types Through the Ops Manager API below.

To configure Concourse to automatically monitor expiring certificates, you can use Platform Automation. For more information, see expiring-certificates in the Platform Automation documentation.

Check Expiration Dates and Certificate Types Through the Ops Manager UI

The Certificates page in the Ops Manager UI lists the certificates your deployment uses. It is divided into two sections, Certificates and Excluded certificates.

• The Certificates section includes the certificates that the Ops Manager API attempts to rotate, though some of these certificates must be rotated manually.

• The Excluded certificates section includes the certificates that the Ops Manager API does not attempt to rotate, because they either must be rotated using CredHub Maestro or cannot be rotated safely at all.

To check certificate expiration dates and types through the Ops Manager UI:

1. Navigate to the Ops Manager Installation Dashboard.

2. In the top menu, select Certificates.

3. In the Certificates and Excluded certificates sections, check the Valid until column for the expiration dates of each certificate and the number of days before expiration.

4. For any certificates expiring soon, use the following rules to identify their types:

   • Non-rotatable certificates: Non-rotatable certificates are included in the Excluded certificates section at the bottom of the Certificates page.
   • Non-configurable certificates: The rows for non-configurable leaf certificates contain the following information:
     • Location: Ops Manager or CredHub
     • Type: Leaf
     • Configurable: No
   • Configurable certificates: The rows for configurable leaf certificates contain the following information:
     • Type: Leaf
     • Configurable: Yes
   • CAs: The rows for CAs contain the following information:
     • Location: Ops Manager or CredHub
     • Type: CA

5. After you identify the list of certificates that expire soon, follow one of the procedures listed in Certificate Rotation Procedures in Overview of Certificate Rotation.

   Caution: The Excluded certificates section lists certificates that you cannot safely rotate using the methods described in this topic. To rotate the Services TLS CA certificate and its leaf certificates, see Rotate the Services TLS CA and Its Leaf Certificates in Advanced Certificate Rotation with CredHub Maestro. For all other certificates listed in Excluded certificates, contact Support for guidance.

Check Expiration Dates and Certificate Types Through the Ops Manager API

To check certificate expiration dates and types through the Ops Manager API:

1. Follow the procedure in Using Ops Manager API to target and authenticate with the Ops Manager User Account and Authentication (UAA) server. Record your Ops Manager access token, and use it for UAA-ACCESS-TOKEN in the steps below.

   Note: When you record your Ops Manager access token, remove any newline characters such as \n.

2. To retrieve the certificates, call the /deployed/certificates endpoint of the Ops Manager API by running:

   curl "https://OPS-MANAGER-FQDN/api/v0/deployed/certificates" \
         -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
         -i
   

   Where:

   • OPS-MANAGER-FQDN is the fully-qualified domain name (FQDN) of your Ops Manager deployment.
   • UAA-ACCESS-TOKEN is the access_token value you recorded in the previous step.

   More options:

   • To limit command output to certificates that expire within a given time interval, append ?expires_within=TIME to the endpoint, replacing TIME with an integer-letter code.
     • Valid letter codes are d for days, w for weeks, m for months, and y for years. For example, querying to https://OPS-MANAGER-FQDN/api/v0/deployed/certificates?expires_within=6m searches for certificates expiring within six months.
   • To make the JSON output more readable, you can pipe your curl command to jq or another text editor with JSON formatting.

3. The deployed/certificates output lists all CAs and leaf certificates visible to the Ops Manager API, whether they are stored in Ops Manager directly or stored in CredHub. To determine the expiration date and type for each certificate listed:

   1. Determine the expiration date from the valid_until value. For example, the root CA listed below expires on August 12, 2020:

      {
            "configurable": true,
            "is_ca": true,
            "property_reference": ".properties.root_ca.fb10484dd5541a273c9d",
            "property_type": "rsa_cert_credentials",
            "product_guid": "ops_manager",
            "location": "ops_manager",
            "variable_path": null,
            "issuer": "/CN=ToolsmithsCA",
            "valid_from": "2019-08-13T15:30:22Z",
            "valid_until": "2020-08-12T15:30:22Z"
      }
      

   2. For any certificates expiring soon, use the following rules to identify their types:

      • Non-rotatable certificates: Non-rotatable certificates have the following property value:
        • variable_path matches /p-bosh/service-instance_*/pxc_*, /p-bosh/service-instance_*/tls_certificate, or /p-bosh/service-instance_*/redis_certificate
      • Non-configurable certificates: Non-configurable leaf certificates have the following property values:
        • configurable is false
        • location is either ops_manager or credhub
        • is_ca is false
      • Configurable certificates: Configurable leaf certificates have the following property values:
        • configurable is true
        • is_ca is false
      • CAs: CAs have the following property values:
        • is_ca is true
        • location is ops_manager or credhub

4. After you identify the list of certificates that expire soon, follow one of the procedures listed in Certificate Rotation Procedures in Overview of Certificate Rotation.