This topic tells you how to use the VMware Tanzu Operations Manager UI or API to manually check the expiration dates and types of the certificate authorities (CAs) and leaf certificates managed by the Tanzu Operations Manager API. After identifying the types of certificates that expire soon, you can determine which certificate rotation procedure to follow.
To configure Concourse to automatically monitor expiring certificates, you can use Platform Automation. For more information, see expiring-certificates in the Platform Automation documentation.
The Certificates page in the Tanzu Operations Manager UI lists the certificates your deployment uses. It is divided into two sections, Certificates and Excluded certificates.
The Certificates section includes the certificates that the Tanzu Operations Manager API attempts to rotate, though some of these certificates must be rotated manually.
The Excluded certificates section includes the certificates that the Tanzu Operations Manager API does not attempt to rotate, because they either must be rotated using CredHub Maestro or cannot be rotated safely at all.
To check certificate expiration dates and types through the Tanzu Operations Manager UI:
Go to Tanzu Operations Manager Installation Dashboard.
From the top menu, click Certificates.
In the Certificates and Excluded certificates sections, check the Valid until column for the expiration dates of each certificate and the number of days before expiration.
For any certificates expiring soon, use the following rules to identify their types:
After you identify the list of certificates that expire soon, follow one of the procedures listed in Certificate Rotation Procedures in Overview of Certificate Rotation.
The Excluded certificates section lists certificates that you cannot safely rotate using the methods described in this topic. To rotate the Services TLS CA certificate and its leaf certificates, see Rotate the Services TLS CA and Its Leaf Certificates in Advanced Certificate Rotation with CredHub Maestro. For all other certificates listed in Excluded certificates, contact Support for guidance.
To check certificate expiration dates and types through the Tanzu Operations Manager API:
Follow the procedure in Using Tanzu Operations Manager API to target and authenticate with the Tanzu Operations Manager User Account and Authentication (UAA) server. Record your Tanzu Operations Manager access token, and use it for UAA-ACCESS-TOKEN
in the following steps.
When you record your Tanzu Operations Manager access token, remove any newline characters such as \n
.
To retrieve the certificates, call the /deployed/certificates
endpoint of the Tanzu Operations Manager API by running:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/certificates" \
-H "Authorization: Bearer UAA-ACCESS-TOKEN" \
-i
Where:
OPS-MANAGER-FQDN
is the fully-qualified domain name (FQDN) of your Tanzu Operations Manager deployment.UAA-ACCESS-TOKEN
is the access_token
value you recorded in the previous step.More options:
?expires_within=TIME
to the endpoint, replacing TIME
with an integer-letter code.
d
for days, w
for weeks, m
for months, and y
for years. For example, querying to https://OPS-MANAGER-FQDN/api/v0/deployed/certificates?expires_within=6m
searches for certificates expiring within six months.curl
command to jq or another text editor with JSON formatting.The deployed/certificates
output lists all CAs and leaf certificates visible to the Tanzu Operations Manager API, whether they are stored in Tanzu Operations Manager directly or stored in CredHub. To determine the expiration date and type for each certificate listed:
Determine the expiration date from the valid_until
value. For example, the root CA listed in the following example expires on August 12, 2020:
{ "configurable": true, "is_ca": true, "property_reference": ".properties.root_ca.fb10484dd5541a273c9d", "property_type": "rsa_cert_credentials", "product_guid": "ops_manager", "location": "ops_manager", "variable_path": null, "issuer": "/CN=ToolsmithsCA", "valid_from": "2019-08-13T15:30:22Z", "valid_until": "2020-08-12T15:30:22Z" }
For any certificates expiring soon, use the following rules to identify their types:
variable_path
matches /p-bosh/service-instance_*/pxc_*
, /p-bosh/service-instance_*/tls_certificate
, or /p-bosh/service-instance_*/redis_certificate
configurable
is false
location
is either ops_manager
or credhub
is_ca
is false
configurable
is true
is_ca
is false
is_ca
is true
location
is ops_manager
or credhub
After you identify the list of certificates that expire soon, follow one of the procedures listed in Certificate rotation procedures in Overview of Certificate Rotation.