Rotating Non-Configurable Leaf Certificates

This topic describes how to rotate non-configurable leaf certificates for your VMware Tanzu Operations Manager (Ops Manager) deployment. To rotate all certificates in your Ops Manager deployment, see Rotating CAs and Leaf Certificates.

Overview

This procedure rotates non-configurable leaf certificates visible to the Ops Manager API, whether they are managed and stored by Ops Manager directly, or by CredHub at Ops Manager request.

Caution: This procedure does not rotate the Ops Manager root certificate authority (CA) or other CAs in your deployment. To rotate CAs and leaf certificates, see Rotating CAs and Leaf Certificates.

Prerequisites

Before you rotate certificates:

You must have Ops Manager v3.0.
You must reset any certificates that were manually set in CredHub on Ops Manager v2.6 and earlier to prevent them from being rotated with other certificates generated by CredHub. To find and reset any manually set certificates in CredHub, see Reviewing Manually Set Certificates in CredHub.
You cannot have any version of VMware Tanzu Kubernetes Grid Integrated Edition installed and rotate CredHub-managed certificates with the Ops Manager API. Instead, you can follow this procedure to rotate certificates managed by Ops Manager. Then, to rotate certificates managed in CredHub, see Advanced Certificate Rotation with CredHub Maestro.
Your product tile must have one of the following versions installed to rotate CredHub-managed certificates with the Ops Manager API:
- TAS for VMs v2.7.21 or later
- TAS for VMs v2.8.2 or later
- Isolation Segment tile v2.7.21 or later
- Isolation Segment tile v2.8.2 or later
- Small Footprint TAS for VMs v2.7.21 or later
- Small Footprint TAS for VMs v2.8.2 or later
- TAS for VMs [Windows] v2.7.17 or later
- TAS for VMs [Windows] v2.8.2 or later

If you have an earlier version of a product tile listed above, use this procedure to rotate certificates managed only by Ops Manager. Then, to rotate certificates managed in CredHub, see Advanced Certificate Rotation with CredHub Maestro.

Procedure

Note: You can set a value to override the duration for certificates within the BOSH Director tile. VMware recommends that you set the value before starting a certificate rotation. For more information, see Overriding Duration for Certificates.

To rotate non-configurable leaf certificates:

Call the Ops Manager API regenerate endpoint by running:

curl "https://OPS-MANAGER-FQDN/api/v0/certificate_authorities/active/regenerate" \
      -X POST \
      -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
      -H "Content-Type: application/json" \
      -d '{}' \
      -i

Where:

OPS-MANAGER-FQDN is the fully-qualified domain name (FQDN) of your Ops Manager deployment.
UAA-ACCESS-TOKEN is your UAA access token.

The API returns a successful response:

HTTP/1.1 200 OK

Navigate to the Ops Manager Installation Dashboard.
If you have any on-demand service tiles installed, for each on-demand service tile:
1. Click the tile.
2. Click the Errands tab.
3. Enable the Upgrade All Service Instances errand. Running this errand is necessary to push CredHub certificate updates to each service instance.
4. Click Review Pending Changes.
5. Click Apply Changes.
If you do not have any on-demand service tiles installed:
1. Click Review Pending Changes.
2. Click Apply Changes.

Troubleshooting

The Ops Manager API invokes CredHub Maestro when rotating certificates. If a certificate rotation API command is unsafe, CredHub Maestro stops the command and returns one or more safety violations.

For example, CredHub Maestro stops a certificate rotation API command if you try to perform certificate rotation steps in the wrong order. Because performing these steps in the wrong order can make your deployment unstable or cause downtime, CredHub Maestro stops the command and returns an error message.

For information about how to troubleshoot safety violation errors that are returned when rotating certificates, see Troubleshooting CredHub Maestro Safety Violations During Certificate Rotation.