You can rotate non-configurable VMware Tanzu Operations Manager leaf certificates that are visible to the Tanzu Operations Manager API, whether they are managed and stored by Tanzu Operations Manager directly, or by CredHub at Tanzu Operations Manager request. To rotate all certificates in your Tanzu Operations Manager deployment, see Rotating CAs and Leaf Certificates.

This procedure does not rotate the Tanzu Operations Manager root certificate authority (CA) or other CAs in your deployment. To rotate CAs and leaf certificates, see Rotating CAs and Leaf Certificates.

Prerequisites

Before you rotate certificates:

  • You must have Tanzu Operations Manager v3.0.

  • You must have Jammy stemcells at version 1.8 or later, Xenial stemcells at version 621.171 or later, and be running Windows 2019.41 or later.

    If you have any VMs deployed with any of the following stemcells, you will have to recreate the VMs at every Apply Changes step:
    • Xenial stemcells earlier than release 621.171
    • Windows stemcells earlier than release 2019.41
    • Jammy stemcells earlier than release 1.8
    If you are still using these stemcell versions and you cannot immediately upgrade, you must enable the Recreate all service instances errand, if the service tile provides it.
    Running this errand pushes BOSH Agent certificate updates to service instances.

    If the service tile does not include the Recreate all service instances errand, see the procedure Running with old Xenial or Windows stemcells on Rotating CAs and leaf certificates using the Tanzu Operations Manager API for instructions.

  • You must reset any certificates that were manually set in CredHub on Tanzu Operations Manager v2.6 and earlier to prevent them from being rotated with other certificates generated by CredHub. To find and reset any manually set certificates in CredHub, see Reviewing manually set certificates in CredHub.

If you use VMware Tanzu Kubernetes Grid Integrated Edition (TKGI), rotate your certificates using the instructions in the TKGI documentation. For certificates that are not rotated by the TKGI procedures, see Advanced certificate rotation with CredHub Maestro.

  • Your product tile must have one of the following versions installed to rotate CredHub-managed certificates with the Tanzu Operations Manager API:

    • TAS for VMs v2.7.21 or later.
    • TAS for VMs v2.8.2 or later.
    • Isolation Segment tile v2.7.21 or later.
    • Isolation Segment tile v2.8.2 or later.
    • Small Footprint TAS for VMs v2.7.21 or later.
    • Small Footprint TAS for VMs v2.8.2 or later.
    • TAS for VMs [Windows] v2.7.17 or later.
    • TAS for VMs [Windows] v2.8.2 or later.

If you have an earlier version of a product tile that was previously listed, use this procedure to rotate certificates managed only by Tanzu Operations Manager. Then, to rotate certificates managed in CredHub, see Advanced certificate rotation with CredHub Maestro.

Procedure

You can set a value to override the duration for certificates in the BOSH Director tile. VMware recommends that you set the value before starting a certificate rotation. For more information, see Overriding duration for certificates.

To rotate non-configurable leaf certificates:

  1. Call the Tanzu Operations Manager API regenerate endpoint by running:

    curl "https://OPS-MANAGER-FQDN/api/v0/certificate_authorities/active/regenerate" \
      -X POST \
      -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
      -H "Content-Type: application/json" \
      -d '{}' \
      -i

    Where:

    • OPS-MANAGER-FQDN is the fully-qualified domain name (FQDN) of your Tanzu Operations Manager deployment.
    • UAA-ACCESS-TOKEN is your UAA access token.

    The API returns a successful response:

    HTTP/1.1 200 OK

  2. Go to Tanzu Operations Manager Installation Dashboard.

  3. If you have any on-demand service tiles installed, do the following for each one:

    1. Click the tile.
    2. Click the Errands tab.
    3. Enable the Upgrade All Service Instances errand. Running this errand is necessary to push CredHub certificate updates to each service instance.
    4. Click Review Pending Changes.
    5. Click Apply Changes.

  4. If you do not have any on demand service tiles installed:

    1. Click Review Pending Changes.
    2. Click Apply Changes.

Troubleshooting

The Tanzu Operations Manager API runs CredHub Maestro when rotating certificates. If a certificate rotation API command is unsafe, CredHub Maestro stops the command and returns one or more safety violations.

For example, CredHub Maestro stops a certificate rotation API command if you try to follow certificate rotation steps in the wrong order. Because performing these steps in the wrong order can make your deployment unstable or cause downtime, CredHub Maestro stops the command and returns an error message.

For information about how to troubleshoot safety violation errors that are returned when rotating certificates, see Troubleshooting CredHub Maestro safety violations during certificate rotation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon