Monitoring Certificate Expiration

This topic describes how to monitor the expiration of Ops Manager certificates using metrics collected by the Healthwatch Exporter for VMware Tanzu Application Service for VMs (TAS for VMs) and Healthwatch Exporter for Tanzu Kubernetes Grid Integrated Edition (TKGI) tiles.

Overview of Certificate Expiration Monitoring

Healthwatch Exporter for TAS for VMs and Healthwatch Exporter for TKGI deploy the certificate expiration metric exporter VM, cert-expiration-exporter, which collects metrics that show when Ops Manager certificates are due to expire. These certificates include the Ops Manager root certificate authority (CA) and leaf certificates for product tiles and BOSH deployments that are stored in BOSH CredHub. For more information about these certificates, see Certificate Types in the Ops Manager documentation.

The certificate expiration metric exporter VM uses the om CLI to make a GET request to the /api/v0/deployed/certificates Ops Manager API endpoint with the query parameter ?expires_within=1y. This request returns all certificate expiration dates that are due to occur within one year. You cannot configure the certificate expiration metric exporter VM to make a request to the Ops Manager API endpoint that specifies a different time period. For more information, about the /api/v0/deployed/certificates endpoint, see Getting Information About Certificates from Products in the Ops Manager API documentation.

If any CAs and leaf certificates for your deployment are due to expire soon, rotate them before they expire to avoid downtime for your deployment. To rotate CAs and leaf certificates, see Overview of Certificate Rotation in the Ops Manager documentation.

Reserving a Static IP Address for the Certificate Expiration Metric Exporter VM

You do not need to configure the certificate expiration metric exporter VM for it to collect certificate expiration metrics. However, you can reserve a static IP address for the certificate expiration metric exporter VM.

To configure a static IP address for the certificate expiration metric exporter VM, see the configuration topic for your Healthwatch Exporter tile: