You can set values to override the duration for certificate authority (CA) and leaf certificates managed by VMware Tanzu Operations Manager and CredHub. By default, certificates that Tanzu Operations Manager and CredHub generate use the duration set by the tile and certificate authors, which can vary from certificate to certificate.

When you apply an override, you can increase certificate duration and reduce the frequency of required certificate rotations. The following table describes what happens when you enable this feature:

If you... then...
configure a duration that is shorter than the default the certificate is generated using the default duration.
configure a duration that is longer than the default the certificate is generated using the duration you set.

For example, VMware Tanzu Application Service for VMs (TAS for VMs) might create a leaf certificate with a duration of 365 days. If you configure the minimum leaf duration to be 730 days, then when TAS for VMs is first deployed or regenerated, the leaf certificates are created using a duration of 730 days instead. A TAS for VMs certificate that is normally created with a duration of 1460 days continues to be created with a duration of 1460 days.

VMware recommends that you do not change your scheduled certificate rotations to use the duration override feature. Instead, you can enable a duration override and use it when the next scheduled rotation takes place.

Enable duration overrides

To enable the duration override feature:

  1. Click the BOSH Director tile.
  2. Click Director Config.
  3. Scroll down to the Certificate Duration Overrides section.
  4. Select the On option.
  5. Enter the desired duration for CA certificates in the CA Certificate Duration field.
  6. Enter the desired duration for leaf certificates in the Leaf Certificate Duration field.
  7. Click Save.

After you enable the duration overrides feature, you must take additional steps to apply the setting to existing certificates, and any new certificates generated by CredHub.

Depending on your deployment, continue to one of the following sections.

Apply a duration override on an existing Tanzu Operations Manager

This procedure describes how to apply a duration override on an existing Tanzu Operations Manager.

To apply a duration override:

  1. Click Apply Changes on the BOSH Director. This ensures that future certificates generated by CredHub use the new duration that you set.
  2. To apply a duration override to leaf certificates, you must do a leaf certificate rotation:
    1. To rotate non-configurable leaf certificates, see Rotating non-configurable leaf certificates.
    2. To rotate certificates generated using Generate RSA Certificate, see Rotating configurable leaf certificates.
  3. To apply a duration override to both CA and leaf certificates, you must do a full CA rotation. To rotate CAs and leaf certificates, see Rotating CAs and Leaf Certificates.
  4. By default, the Services TLS CA is excluded by the Tanzu Operations Manager certificate rotation API. You can rotate this certificate separately to apply the configured duration. To rotate the Services TLS CA, see Rotate the Services TLS CA and Its Leaf Certificates.

Apply a duration override on a new Tanzu Operations Manager

This procedure describes how to apply a duration override on a new Tanzu Operations Manager.

If you have already run Apply Changes on the BOSH Director tile, you must use the procedure in Apply a duration override on an existing Tanzu Operations Manager.

To apply a duration override:

  1. To apply duration overrides to leaf certificates, no action is required. Leaf certificates are created using the configured duration the first time you run Apply Changes.
  2. To apply duration overrides to CA certificates, you must regenerate the CA certificates. Follow the procedure in Rotating CAs and Leaf Certificates with the following modifications:
    1. You do not need to enable the Recreate VMs deployed by the BOSH Director check box.
    2. You do not need to run Apply Changes.

Excluded certificates

This section describes the certificates that are excluded from the duration override setting. The duration override setting applies only to certificates that are rotated by the Tanzu Operations Manager certificate rotation procedures.

The following certificates do not use the duration override setting:

  • User-provided certificates: Products installed using Tanzu Operations Manager can contain fields that request operator-provided certificates. These certificates are not generated by Tanzu Operations Manager or CredHub.

    You can use Generate RSA Certificate to generate a certificate instead of requiring an operator-provided certificate. Certificates generated with Generate RSA Certificate use the duration overrides you set.

  • Tanzu Operations Manager SAML Certificate: If you configure Tanzu Operations Manager to use SAML, UAA uses the Tanzu Operations Manager SAML Certificate. This certificate is valid for 730 days. To rotate this certificate, see How to check and rotate Ops Manager SAML Certificate before it expires.

  • Tanzu Operations Manager SSL Certificate: The Tanzu Operations Manager SSL Certificate is used to secure communication between the operator’s browser and the Tanzu Operations Manager app. By default, this is a self-signed certificate created when the Tanzu Operations Manager VM is first launched. This certificate is valid for 365 days, and is automatically regenerated when upgrading Tanzu Operations Manager.

  • NATS client certificates: Each BOSH deployed VM has a unique NATS client certificate used to communicate with the BOSH Director. This certificate is regenerated each time the VM is re-created.

  • Diego identity certificates: Each app instance deployed with TAS for VMs has a unique identity certificate used to communicate with Diego. The Diego Cell rep supplies a new certificate and private key pair to the app instance before the end of the validity period. For more information, see Using instance identity credentials in the Cloud Foundry documentation.

  • All other certificates that have a default duration that is longer than the duration configuration.

check-circle-line exclamation-circle-line close-line
Scroll to top icon