This topic describes how you can identify and update certificates that were set manually: certificates that an operator added directly to BOSH CredHub through the CredHub CLI instead of using a CredHub-generated certificate. For example, an operator might have provided an existing certificate to BOSH CredHub as described in the VMware SQL with MySQL for Tanzu Application Service documentation.
To ensure that VMware Tanzu Operations Manager does not rotate manually-set certificates alongside CredHub-generated certificates, you must ensure that the generated
field of all manually-set certificates is set to false
in CredHub.
In this procedure, use the CredHub CLI to review existing certificates and then check for manually-set certificates. If you find any manually-set certificates that require updates, you can use the CredHub CLI to reset the certificate.
You need the BOSH client name and client secret to use the CredHub CLI.
To find the BOSH CredHub client name and client secret:
Go to Tanzu Operations Manager Installation Dashboard.
Click the BOSH Director tile.
Click the Credentials tab.
In the BOSH Director section, go to the BOSH Commandline Credentials row, and click the corresponding link, Link to Credential.
Record the values for BOSH_CLIENT
and BOSH_CLIENT_SECRET
. Here is an example of the credentials page:
{"credential":"BOSH_CLIENT=ops_manager
BOSH_CLIENT_SECRET=abcdefghijklm123456789
BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate
BOSH_ENVIRONMENT=10.0.0.5 bosh "}
Click the Status tab.
In the BOSH Director row, locate and record the IP address of the BOSH Director. For example, 10.0.0.5
.
You can run CredHub CLI commands on the Tanzu Operations Manager VM.
To log in to and access the CredHub API:
SSH into the Tanzu Operations Manager VM. For IaaS-specific instructions on how to SSH, see Log in to the Tanzu Operations Manager VM with SSH.
Set the CredHub API target of the CLI by running:
credhub api https://BOSH-DIRECTOR:8844 --ca-cert=/var/tempest/workspaces/default/root_ca_certificate
Where BOSH-DIRECTOR
is the IP address of the BOSH Director VM.
Log in to CredHub by running:
credhub login --client-name=CREDHUB-CLIENT-NAME --client-secret=CREDHUB-CLIENT-SECRET
Where:
CREDHUB-CLIENT-NAME
is the value you recorded for BOSH_CLIENT
in Find BOSH Client Credentials and BOSH Director IP Address.CREDHUB-CLIENT-SECRET
is the value you recorded for BOSH_CLIENT_SECRET
in Find BOSH Client Credentials and BOSH Director IP Address.After you log in to CredHub, you can query the CredHub API on the command line.
To retrieve a list of CredHub certificates:
Retrieve a list of all the certificates stored in CredHub by running:
credhub curl -p "/api/v1/certificates" -X GET | jq .
In the JSON output, check the value of the generated
field of each certificate. For example:
{
"certificates": [
{
"name": "/services/tls_ca",
"id": "1b378f9c-d3dc-4519-9cde-20397f9d8d6b",
"versions": [
{
"id": "3e41bba8-1373-4b51-b774-d65d9a0b87b4",
"expiry_date": "2020-09-19T14:36:36Z",
"transitional": false,
"certificate_authority": true,
"self_signed": true,
"generated": null
},
For each certificate where generated
value is null
, follow the procedure in Reset a certificate in CredHub.
To reset a certificate in CredHub:
Retrieve a manually-set certificate by running:
credhub get -n SET-CERTIFICATE -k certificate > /tmp/certificate.yml
credhub get -n SET-CERTIFICATE -k ca > /tmp/ca.yml
credhub get -n SET-CERTIFICATE -k private_key > /tmp/private_key.yml
Where SET-CERTIFICATE
is the value of the name
field in the manually-set certificate you want to retrieve.
Reset the certificate depending on the certificate type.
If the retrieved certificate is a root CA certificate, run:
credhub set -n SET-CERTIFICATE -t certificate -r /tmp/ca.yml -c /tmp/certificate.yml -p /tmp/private_key.yml
Where SET-CERTIFICATE
is the name of the manually-set certificate you want to reset.
If the retrieved certificate is an intermediate or leaf certificate, run:
credhub set -n SET-CERTIFICATE -t certificate -c /tmp/certificate.yml -p /tmp/private_key.yml -m SIGNING-CA
Where:
SET-CERTIFICATE
is the name of the manually-set certificate you want to reset.SIGNING-CA
is the name of the signing root CA certificate.