This topic provides an overview of how you can rotate certificate authorities (CAs) and leaf certificates in VMware Tanzu Operations Manager.

The Tanzu Operations Manager API manages and lists internal CAs and leaf certificates that enable Tanzu Operations Manager components to communicate with each other securely using TLS. It can also list certificates used externally, such as SAML certificates that authenticate to an external identity provider (IDP).

For more information about the CAs and leaf certificates visible to the Tanzu Operations Manager API, see Certificate types.

Rotate CAs and leaf certificates before they expire to avoid downtime for your deployment. To rotate certificates in Tanzu Operations Manager, first check the expiration dates of all certificates. Then, follow the certificate rotation procedure recommended for the expiring certificates to regenerate them, and deploy any BOSH deployments using those certificates to use the new versions.

When possible, the Tanzu Operations Manager API invokes CredHub Maestro to rotate certificates. You might encounter CredHub Maestro safety violation errors if you attempt to perform an unsafe operation, such as running a rotation step out of order. For more information about troubleshooting these errors, see Troubleshooting CredHub Maestro Safety Violations During Certificate Rotation.

You can set a value to override the duration for certificates within the BOSH Director tile. VMware recommends that you set the value before starting a certificate rotation. For more information, see Overriding duration for certificates.

Check certificate expiration dates and rotation procedures

Before determining which certificate rotation procedure to follow, you must determine:

  • Which CAs and leaf certificates are due to expire soon.
  • Which recommended procedure is listed for the expiring certificates
  • Whether customer provided CAs exist in your deployment.

To check the expiration dates and rotation procedures of your certificates, see Checking Expiration Dates and Rotation Procedures.

If customer provided CAs exist in your deployment, you must do an additional procedure to successfully rotate. To see if you have customer-provided CAs and rotate them successfully, see Rotating Certificates with Customer-Provided CAs.

Certificate rotation procedures

The topics listed in this section explain how to rotate certificates in Tanzu Operations Manager, including the Tanzu Operations Manager root CA, BOSH NATS CA, CAs stored in CredHub, and leaf certificates. There are different rotation procedures for each type of certificate that requires rotation.

The rotation procedures described in the following topics do not work if the certificates have already expired. If the certificates have expired, contact Broadcom Support for guidance.

To rotate certificates, follow one of these procedures:

Rotating other certificates

Other certificates that the Tanzu Operations Manager API does not rotate include:

  • The Services TLS CA. To rotate this CA, see Advanced certificate rotation with CredHub Maestro.

  • IDP SAML certificates. To rotate IDP SAML certificates, see Rotating identity provider SAML Certificates.

  • IPsec certificates. To rotate IPsec certificates, see Rotating IPsec certificates in the IPsec documentation.

  • Certificates for any products that you deploy manually with BOSH. To rotate these certificates, you must redeploy the BOSH release and re-create its VMs using the BOSH CLI.

  • CredHub-managed certificates for the following product versions:

    • TAS for VMs v2.7.0-v2.7.20.
    • TAS for VMs v2.8.0-v2.8.1.
    • Isolation Segment tile v2.7.0-v2.7.20.
    • Isolation Segment tile v2.8.0-v2.8.1.
    • Small Footprint TAS for VMs v2.7.0-v2.7.20.
    • Small Footprint TAS for VMs v2.8.0-v2.8.1.
    • TAS for VMs [Windows] v2.7.0-v2.7.16.
    • TAS for VMs [Windows] v2.8.0-v2.8.1.
check-circle-line exclamation-circle-line close-line
Scroll to top icon