Overriding Duration for Certificates

Page last updated:

This topic describes how to set values to override the duration for certificate authority (CA) and leaf certificates managed by Ops Manager and CredHub.

Overview

By default, certificates that Ops Manager and CredHub generate use the duration set by the tile and certificate authors. These durations can vary from certificate to certificate. In Ops Manager v2.10.19 and later, you can set values to override the durations for CA and leaf certificates. When you apply an override, you can increase certificate duration and reduce the frequency of required certificate rotations.

The following table describes what happens when you enable this feature:

If you… then…
configure a duration that is shorter than the default the certificate is generated using the default duration.
configure a duration that is longer than the default the certificate is generated using the duration you set.

For example, VMware Tanzu Application Service for VMs (TAS for VMs) might create a leaf certificate with a duration of 365 days. If you configure the minimum leaf duration to be 730 days, then when TAS for VMs is first deployed or regenerated, the leaf certificates are created using a duration of 730 days instead. A TAS for VMs certificate that is normally created with a duration of 1460 days continues to be created with a duration of 1460 days.

Note: VMware recommends that you do not change your scheduled certificate rotations to use the duration override feature. Instead, you can enable a duration override and use it when the next scheduled rotation takes place.

Enable Duration Overrides

To enable the duration override feature:

  1. Click the BOSH Director tile.
  2. Select Director Config.
  3. Scroll down to the Certificate Duration Overrides section.
  4. Select the On option.
  5. Enter the desired duration for CA certificates in the CA Certificate Duration field.
  6. Enter the desired duration for leaf certificates in the Leaf Certificate Duration field.
  7. Click Save.

After enabling the duration overrides feature, you must take additional steps to apply the setting to existing certificates, as well as any new certificates generated by CredHub.

Depending on your deployment, continue to one of the following sections:

Apply a Duration Override on an Existing Ops Manager

This procedure describes how to apply a duration override on an existing Ops Manager.

To apply a duration override:

  1. Click Apply Changes on the BOSH Director. This ensures that future certificates generated by CredHub use the new duration that you set.
  2. To apply a duration override to leaf certificates, you must do a leaf certificate rotation:
    1. To rotate non-configurable leaf certificates, see Rotating Non-Configurable Leaf Certificates.
    2. To rotate certificates generated using Generate RSA Certificate, see Rotating Configurable Leaf Certificates.
  3. To apply a duration override to both CA and leaf certificates, you must do a full CA rotation. To rotate CAs and leaf certificates, see Rotating CAs and Leaf Certificates.
  4. By default, the Services TLS CA is excluded by the Ops Manager certificate rotation API. You can rotate this certificate separately to apply the configured duration. To rotate the Services TLS CA, see Rotate the Services TLS CA and Its Leaf Certificates.

Apply a Duration Override on a New Ops Manager

This procedure describes how to apply a duration override on a new Ops Manager.

To apply a duration override:

Warning: If you have run Apply Changes on the BOSH Director tile, you must use the procedure in Apply a Duration Override on an Existing Ops Manager above.

  1. To apply duration overrides to leaf certificates, no action is required. Leaf certificates are created using the configured duration the first time you run Apply Changes.
  2. To apply duration overrides to CA certificates, you must regenerate the CA certificates. Follow the procedure in Rotating CAs and Leaf Certificates with the following modifications:
    1. You do not need to enable the Recreate VMs deployed by the BOSH Director checkbox.
    2. You do not need to run Apply Changes.

Excluded Certificates

This section describes the certificates that are excluded from the duration override setting. The duration override setting applies only to certificates that are rotated by the Ops Manager certificate rotation procedures.

The following certificates do not use the duration override setting:

  • User-provided certificates: Products installed using Ops Manager can contain fields that request operator-provided certificates. These certificates are not generated by Ops Manager or CredHub.

    Note: You can use Generate RSA Certificate to generate a certificate instead of requiring an operator-provided certificate. Certificates generated with Generate RSA Certificate use the duration overrides you set.

  • Ops Manager SAML Certificate: If you configure Ops Manager to use SAML, UAA uses the Ops Manager SAML Certificate. This certificate is valid for 730 days, and is not rotated by the same procedure that rotates other certificates. To rotate this certificate, see How to check and rotate Ops Manager SAML Certificate before it expires in the VMware Tanzu Support documentation.

  • Ops Manager SSL Certificate: The Ops Manager SSL Certificate is used to secure communication between the operator’s browser and the Ops Manager app. By default, this is a self-signed certificate created when the Ops Manager VM is first launched. This certificate is valid for 365 days, and is automatically regenerated when upgrading Ops Manager.

  • NATS client certificates: Each BOSH-deployed VM has a unique NATS client certificate used to communicate with the BOSH Director. This certificate is regenerated each time the VM is re-created.

  • Diego identity certificates: Each app instance deployed with TAS for VMs has a unique identity certificate used to communicate with Diego. The Diego Cell rep supplies a new certificate and private key pair to the app instance before the end of the validity period. For more information, see Using Instance Identity Credentials in the TAS for VMs documentation.

  • All other certificates that have a default duration that is longer than the duration you configure.