You can set values to override the duration for certificate authority (CA) and leaf certificates managed by VMware Tanzu Operations Manager and CredHub. By default, certificates that Tanzu Operations Manager and CredHub generate use the duration set by the tile and certificate authors, which can vary from certificate to certificate.
When you apply an override, you can increase certificate duration and reduce the frequency of required certificate rotations. The following table describes what happens when you enable this feature:
|configure a duration that is shorter than the default
|the certificate is generated using the default duration.
|configure a duration that is longer than the default
|the certificate is generated using the duration you set.
For example, VMware Tanzu Application Service for VMs (TAS for VMs) might create a leaf certificate with a duration of 365 days. If you configure the minimum leaf duration to be 730 days, then when TAS for VMs is first deployed or regenerated, the leaf certificates are created using a duration of 730 days instead. A TAS for VMs certificate that is normally created with a duration of 1460 days continues to be created with a duration of 1460 days.
VMware recommends that you do not change your scheduled certificate rotations to use the duration override feature. Instead, you can enable a duration override and use it when the next scheduled rotation takes place.
To enable the duration override feature:
After you enable the duration overrides feature, you must take additional steps to apply the setting to existing certificates, and any new certificates generated by CredHub.
Depending on your deployment, continue to one of the following sections:
This procedure describes how to apply a duration override on an existing Tanzu Operations Manager.
To apply a duration override:
This procedure describes how to apply a duration override on a new Tanzu Operations Manager.
To apply a duration override:
If you have run Apply Changes on the BOSH Director tile, you must use the procedure in Apply a Duration Override on an Existing Tanzu Operations Manager.
This section describes the certificates that are excluded from the duration override setting. The duration override setting applies only to certificates that are rotated by the Tanzu Operations Manager certificate rotation procedures.
The following certificates do not use the duration override setting:
User-provided certificates: Products installed using Tanzu Operations Manager can contain fields that request operator-provided certificates. These certificates are not generated by Tanzu Operations Manager or CredHub.
You can use Generate RSA Certificate to generate a certificate instead of requiring an operator-provided certificate. Certificates generated with Generate RSA Certificate use the duration overrides you set.
Tanzu Operations Manager SAML Certificate: If you configure Tanzu Operations Manager to use SAML, UAA uses the Tanzu Operations Manager SAML Certificate. This certificate is valid for 730 days, and is not rotated by the same procedure that rotates other certificates. To rotate this certificate, see How to check and rotate Ops Manager SAML Certificate before it expires in the VMware Tanzu Support documentation.
Tanzu Operations Manager SSL Certificate: The Tanzu Operations Manager SSL Certificate is used to secure communication between the operator’s browser and the Tanzu Operations Manager app. By default, this is a self-signed certificate created when the Tanzu Operations Manager VM is first launched. This certificate is valid for 365 days, and is automatically regenerated when upgrading Tanzu Operations Manager.
NATS client certificates: Each BOSH deployed VM has a unique NATS client certificate used to communicate with the BOSH Director. This certificate is regenerated each time the VM is re-created.
Diego identity certificates: Each app instance deployed with TAS for VMs has a unique identity certificate used to communicate with Diego. The Diego Cell rep supplies a new certificate and private key pair to the app instance before the end of the validity period. For more information, see Using instance identity credentials in the TAS for VMs documentation.
All other certificates that have a default duration that is longer than the duration configuration.