Rotating Configurable Leaf Certificates

Page last updated:

This topic describes how to rotate configurable leaf certificates for your Ops Manager deployment. To rotate all certificates in your Ops Manager deployment, see Rotating CAs and Leaf Certificates.

Overview

Configurable certificates are generated by the user and pasted into Ops Manager configuration panes where needed. Examples include certificates that terminate SSL traffic into VMware Tanzu Application Service for VMs (TAS for VMs), or authenticate a Single Sign-On for VMware Tanzu service plan to an external SAML server.

To rotate SAML certificates for both TAS for VMs and the Single Sign-On for VMware Tanzu service, see Rotating Identity Provider SAML Certificates.

Warning: This procedure does not rotate the Ops Manager root certificate authority (CA) or other CAs in your deployment. To rotate CAs and leaf certificates, see Rotating CAs and Leaf Certificates.

Prerequisites

Before you rotate certificates:

  • You must have Ops Manager v2.10.

  • You must reset any certificates that were manually set in CredHub on Ops Manager v2.6 and earlier to prevent them from being rotated with other certificates generated by CredHub. To find and reset any manually set certificates in CredHub, see Reviewing Manually Set Certificates in CredHub.

  • You cannot have any version of VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) installed and rotate CredHub-managed certificates with the Ops Manager API. Instead, you can follow this procedure to rotate certificates managed by Ops Manager. Then, to rotate certificates managed in CredHub, see Advanced Certificate Rotation with CredHub Maestro.

  • Your product tile must have one of the following versions installed to rotate CredHub-managed certificates with the Ops Manager API:

    • TAS for VMs v2.7.21 or later
    • TAS for VMs v2.8.2 or later
    • Isolation Segment tile v2.7.21 or later
    • Isolation Segment tile v2.8.2 or later
    • Small Footprint TAS for VMs v2.7.21 or later
    • Small Footprint TAS for VMs v2.8.2 or later
    • TAS for VMs [Windows] v2.7.17 or later
    • TAS for VMs [Windows] v2.8.2 or later

If you have an earlier version of a product tile listed above, use this procedure to rotate certificates managed only by Ops Manager. Then, to rotate certificates managed in CredHub, see Advanced Certificate Rotation with CredHub Maestro.

Procedure

Note: You can set a value to override the duration for certificates within the BOSH Director tile. VMware recommends that you set the value before starting a certificate rotation. For more information, see Overriding Duration for Certificates.

To rotate configurable leaf certificates:

  1. Navigate to the Ops Manager Installation Dashboard.

  2. For each certificate you want to rotate:

    1. Find the text field where the leaf certificate is configured within the Ops Manager UI. You might need to look through multiple configuration panes to identify the location of the certificate configuration text field. The tile may not expose the field via the UI, in that case the value will need to be updated via the Ops Manager API. Use the following fields to identify the location of the certificate configuration text field:
      • The product_guid field in the Ops Manager API output can help identify the tile in which the certificate is configured. For example, the prefix p-bosh- refers to the BOSH Director tile, and the prefix cf- refers to the TAS for VMs tile.
      • The property_reference field in the Ops Manager API output can help identify the configuration pane in which the certificate is configured. For example, the uaa.service_provider_key_credentials property is configured in the UAA pane of the TAS for VMs tile.
    2. Copy a new value for the leaf certificate into the text field or generate a new leaf certificate using the Generate RSA Certificate button.
    3. Click Save at the bottom of each pane in which you added new leaf certificates.
  3. Return to the Ops Manager Installation Dashboard.

  4. Click Review Pending Changes.

  5. Click Apply Changes.

Certificates with Specialized Procedures

Some certificates are not rotated when using the standard rotation procedure. The following table lists certificates that use a separate, specialized rotation procedure and provides links to documentation and Knowledge Base articles to help you rotate these certificates.

Certificate Tile Procedure
.properties.saml_service_provider_cert BOSH Director How to check and rotate Ops Manager SAML Certificate before it expires
.uaa.service_provider_key_credentials TAS for VMs Rotating Identity Provider SAML Certificates

Troubleshooting

The Ops Manager API invokes CredHub Maestro when rotating certificates. If a certificate rotation API command is unsafe, CredHub Maestro stops the command and returns one or more safety violations.

For example, CredHub Maestro stops a certificate rotation API command if you try to perform certificate rotation steps in the wrong order. Because performing these steps in the wrong order can make your deployment unstable or cause downtime, CredHub Maestro stops the command and returns an error message.

For information about how to troubleshoot safety violation errors that are returned when rotating certificates, see Troubleshooting CredHub Maestro Safety Violations During Certificate Rotation.