Checking Tanzu Operations Manager certificate expiration dates and rotation procedures

This topic describes how you can use the VMware Tanzu Operations Manager UI or API to manually check the expiration dates and rotation procedures of the certificate authorities (CAs) and leaf certificates managed by the Tanzu Operations Manager API. After identifying the certificates that expire soon, you can determine which certificate rotation procedure to follow.

To configure Concourse to automatically monitor expiring certificates, you can use Platform Automation. For more information, see expiring-certificates in the Platform Automation documentation.

Check expiration dates and rotation procedures through the Tanzu Operations Manager UI

The Certificates page in the Tanzu Operations Manager UI lists the certificates your deployment uses.

To check certificate expiration dates and rotation procedures through the Tanzu Operations Manager UI:

Go to Tanzu Operations Manager Installation Dashboard.
In the top menu, click Certificates.
Look at the Expiration Date column for the expiration dates of each certificate and the number of days before expiration.
For any certificates expiring soon, identify the procedure listed in the Rotation Procedure column. This will link to the documentation page describing how to rotate that certificate.

Note that most procedures operate on multiple certificates at once. For example, all CA certificates listed as using the Standard CA Procedure will be rotated together; there is no need to repeat the procedure for each of these certificates. It is also recommended to rotate CA certificates first, as rotating CAs will also rotate any leaf certificates signed by those CAs.

Check expiration dates and certificate types through the Tanzu Operations Manager API

To check certificate expiration dates and types through the Tanzu Operations Manager API:

Follow the procedure in Using Tanzu Operations Manager API to target and authenticate with the Tanzu Operations Manager User Account and Authentication (UAA) server. Record your Tanzu Operations Manager access token, and use it for UAA-ACCESS-TOKEN in the following steps.

When you record your Tanzu Operations Manager access token, remove any newline characters such as \n.
To retrieve the certificates, call the /deployed/certificates endpoint of the Tanzu Operations Manager API by running:
```
curl "https://OPS-MANAGER-FQDN/api/v0/deployed/certificates" \
      -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
      -i
```
Where:
- OPS-MANAGER-FQDN is the fully-qualified domain name (FQDN) of your Tanzu Operations Manager deployment.
- UAA-ACCESS-TOKEN is the access_token value you recorded in the previous step.
More options:
- To limit command output to certificates that expire within a given time interval, append ?expires_within=TIME to the endpoint, replacing TIME with an integer-letter code.
  - Valid letter codes are d for days, w for weeks, m for months, and y for years. For example, querying to https://OPS-MANAGER-FQDN/api/v0/deployed/certificates?expires_within=6m searches for certificates expiring within six months.
- To make the JSON output more readable, you can pipe your curl command to jq or another text editor with JSON formatting.
The deployed/certificates output lists all CAs and leaf certificates visible to the Tanzu Operations Manager API, whether they are stored in Tanzu Operations Manager directly or stored in CredHub. To determine the expiration date and rotation procedure for each certificate listed:
1. Determine the expiration date from the valid_until value. For example, the root CA listed in the following example expires on August 12, 2020:
```
{
      "configurable": true,
      "is_ca": true,
      "property_reference": ".properties.root_ca.fb10484dd5541a273c9d",
      "property_type": "rsa_cert_credentials",
      "product_guid": "ops_manager",
      "location": "ops_manager",
      "variable_path": null,
      "issuer": "/CN=ToolsmithsCA",
      "valid_from": "2019-08-13T15:30:22Z",
      "valid_until": "2020-08-12T15:30:22Z"
      "rotation_procedure_name": "Standard CA Procedure",
      "rotation_procedure_url": "https://docs.vmware.com/en/VMware-Tanzu-Operations-Manager/3.0/vmware-tanzu-ops-manager/security-pcf-infrastructure-rotate-cas-and-leaf-certs.html"
}
```
2. For any certificates expiring soon, identify the procedure listed in the rotation_procedure_name field. This is the name of the rotation procedure that will be used to rotate the certificate. The URL for the documentation for this procedure is listed in the rotation_procedure_url field.
Note that most procedures operate on multiple certificates at once. For example, all CA certificates listed as using the Standard CA Procedure are rotated together; there is no need to repeat the procedure for each of these certificates. VMware also recommends rotating CA certificates first, as rotating CAs also rotates any leaf certificates signed by those CAs.