Monitoring Certificate Expiration
This topic describes how to monitor the expiration of Ops Manager certificates using metrics collected by the Healthwatch Exporter for VMware Tanzu Application Service for VMs (TAS for VMs) and Healthwatch Exporter for Tanzu Kubernetes Grid Integrated Edition (TKGI) tiles.
Healthwatch Exporter for TAS for VMs and Healthwatch Exporter for TKGI deploy the certificate
expiration metric exporter VM,
cert-expiration-exporter, which collects metrics that show
when Ops Manager certificates are due to expire. These certificates include the Ops Manager
root certificate authority (CA) and leaf certificates for product tiles and BOSH deployments
that are stored in BOSH CredHub. For more information about these certificates, see Certificate
in the Ops Manager documentation.
The certificate expiration metric exporter VM uses the
om CLI to make a GET request to the
/api/v0/deployed/certificates Ops Manager API endpoint with the query parameter
This request returns all certificate expiration dates that are due to occur within one year.
You cannot configure the certificate expiration metric exporter VM to make a request to the
Ops Manager API endpoint that specifies a different time period. For more information, about
/api/v0/deployed/certificates endpoint, see Getting Information About Certificates from
in the Ops Manager API documentation.
If any CAs and leaf certificates for your deployment are due to expire soon, rotate them before they expire to avoid downtime for your deployment. To rotate CAs and leaf certificates, see Overview of Certificate Rotation in the Ops Manager documentation.
You do not need to configure the certificate expiration metric exporter VM for it to collect certificate expiration metrics. However, you can reserve a static IP address for the certificate expiration metric exporter VM.
To configure a static IP address for the certificate expiration metric exporter VM, see the configuration topic for your Healthwatch Exporter tile:
(Optional) Configure TAS for VMs Metric Exporter VMs in Configuring Healthwatch Exporter for TAS for VMs
(Optional) Configure TKGI and Certificate Expiration Metric Exporter VMs in Configuring Healthwatch Exporter for TKGI.