This topic describes how to set values to override the duration for certificate authority (CA) and leaf certificates managed by VMware Tanzu Operations Manager (Ops Manager) and CredHub.
By default, certificates that Ops Manager and CredHub generate use the duration set by the tile and certificate authors. These durations can vary from certificate to certificate. In Ops Manager v2.10.19 and later, you can set values to override the durations for CA and leaf certificates. When you apply an override, you can increase certificate duration and reduce the frequency of required certificate rotations.
The following table describes what happens when you enable this feature:
|configure a duration that is shorter than the default||the certificate is generated using the default duration.|
|configure a duration that is longer than the default||the certificate is generated using the duration you set.|
For example, VMware Tanzu Application Service for VMs (TAS for VMs) might create a leaf certificate with a duration of 365 days. If you configure the minimum leaf duration to be 730 days, then when TAS for VMs is first deployed or regenerated, the leaf certificates are created using a duration of 730 days instead. A TAS for VMs certificate that is normally created with a duration of 1460 days continues to be created with a duration of 1460 days.
Note: VMware recommends that you do not change your scheduled certificate rotations to use the duration override feature. Instead, you can enable a duration override and use it when the next scheduled rotation takes place.
To enable the duration override feature:
After enabling the duration overrides feature, you must take additional steps to apply the setting to existing certificates, and any new certificates generated by CredHub.
Depending on your deployment, continue to one of the following sections:
This procedure describes how to apply a duration override on an existing Ops Manager.
To apply a duration override:
This procedure describes how to apply a duration override on a new Ops Manager.
To apply a duration override:
Caution: If you have run Apply Changes on the BOSH Director tile, you must use the procedure in Apply a Duration Override on an Existing Ops Manager above.
This section describes the certificates that are excluded from the duration override setting. The duration override setting applies only to certificates that are rotated by the Ops Manager certificate rotation procedures.
The following certificates do not use the duration override setting:
User-provided certificates: Products installed using Ops Manager can contain fields that request operator-provided certificates. These certificates are not generated by Ops Manager or CredHub.
Note: You can use Generate RSA Certificate to generate a certificate instead of requiring an operator-provided certificate. Certificates generated with Generate RSA Certificate use the duration overrides you set.
Ops Manager SAML Certificate: If you configure Ops Manager to use SAML, UAA uses the Ops Manager SAML Certificate. This certificate is valid for 730 days, and is not rotated by the same procedure that rotates other certificates. To rotate this certificate, see How to check and rotate Ops Manager SAML Certificate before it expires in the VMware Tanzu Support documentation.
Ops Manager SSL Certificate: The Ops Manager SSL Certificate is used to secure communication between the operator’s browser and the Ops Manager app. By default, this is a self-signed certificate created when the Ops Manager VM is first launched. This certificate is valid for 365 days, and is automatically regenerated when upgrading Ops Manager.
NATS client certificates: Each BOSH-deployed VM has a unique NATS client certificate used to communicate with the BOSH Director. This certificate is regenerated each time the VM is re-created.
Diego identity certificates: Each app instance deployed with TAS for VMs has a unique identity certificate used to communicate with Diego. The Diego Cell rep supplies a new certificate and private key pair to the app instance before the end of the validity period. For more information, see Using Instance Identity Credentials in the TAS for VMs documentation.
All other certificates that have a default duration that is longer than the duration you configure.