This topic describes how you can use the VMware Tanzu Operations Manager UI or API to manually check the expiration dates and rotation procedures of the certificate authorities (CAs) and leaf certificates managed by the Tanzu Operations Manager. After identifying the certificates that expire soon, you can determine which certificate rotation procedure to follow.
To configure Concourse to automatically monitor expiring certificates, you can use Platform Automation. For more information, see expiring-certificates in the Platform Automation documentation.
The Certificates page in the Tanzu Operations Manager UI lists the certificates your deployment uses.
To check certificate expiration dates and rotation procedures using the Tanzu Operations Manager UI:
Go to Tanzu Operations Manager Installation Dashboard.
In the top menu, click Certificates.
Look at the Expiration Date column for the expiration dates of each certificate and the number of days before expiration.
For any certificates expiring soon, identify the procedure listed in the Rotation Procedure column. This will link to the documentation page describing how to rotate that certificate.
Note that most procedures operate on multiple certificates at once. For example, all CA certificates listed as using the Standard CA Procedure are rotated together; there is no need to repeat the procedure for each of these certificates. It is also recommended to rotate CA certificates first, as rotating CAs will also rotate any leaf certificates signed by those CAs.
To check certificate expiration dates and types using the Tanzu Operations Manager API:
Follow the procedure in Using Tanzu Operations Manager API to target and authenticate with the Tanzu Operations Manager User Account and Authentication (UAA) server. Record your Tanzu Operations Manager access token, and use it for UAA-ACCESS-TOKEN
in the following steps.
When you record your Tanzu Operations Manager access token, remove any newline characters such as \n
.
To retrieve the certificates, call the /deployed/certificates
endpoint of the Tanzu Operations Manager API by running:
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/certificates" \
-H "Authorization: Bearer UAA-ACCESS-TOKEN" \
-i
Where:
OPS-MANAGER-FQDN
is the fully-qualified domain name (FQDN) of your Tanzu Operations Manager deployment.UAA-ACCESS-TOKEN
is the access_token
value you recorded in the previous step.More options:
?expires_within=TIME
to the endpoint, replacing TIME
with an integer-letter code.
d
for days, w
for weeks, m
for months, and y
for years. For example, querying to https://OPS-MANAGER-FQDN/api/v0/deployed/certificates?expires_within=6m
searches for certificates expiring within six months.curl
command to jq or another text editor with JSON formatting.The deployed/certificates
output lists all CAs and leaf certificates visible to the Tanzu Operations Manager API, whether they are stored in Tanzu Operations Manager directly or they are stored in CredHub. To determine the expiration date and rotation procedure for each certificate listed:
Determine the expiration date from the valid_until
value. For example, the root CA listed in the following example expires on August 12, 2020:
{ "configurable": true, "is_ca": true, "property_reference": ".properties.root_ca.fb10484dd5541a273c9d", "property_type": "rsa_cert_credentials", "product_guid": "ops_manager", "location": "ops_manager", "variable_path": null, "issuer": "/CN=ToolsmithsCA", "valid_from": "2019-08-13T15:30:22Z", "valid_until": "2020-08-12T15:30:22Z" "rotation_procedure_name": "Standard CA Procedure", "rotation_procedure_url": "https://docs.vmware.com/en/VMware-Tanzu-Operations-Manager/3.0/vmware-tanzu-ops-manager/security-pcf-infrastructure-rotate-cas-and-leaf-certs.html" }
For any certificates expiring soon, identify the procedure listed in the rotation_procedure_name
field. This is the name of the rotation procedure that will be used to rotate the certificate. The URL for the documentation for this procedure is listed in the rotation_procedure_url
field.
Note that most procedures operate on multiple certificates at once. For example, all CA certificates listed as using the Standard CA Procedure are rotated together; there is no need to repeat the procedure for each of these certificates. VMware also recommends rotating CA certificates first, because rotating CAs also rotates any leaf certificates signed by those CAs.