Rotating Configurable Leaf Certificates

Page last updated:

This topic describes how to rotate configurable leaf certificates for your Ops Manager deployment. To rotate all certificates in your Ops Manager deployment, see Rotating CAs and Leaf Certificates.

Overview

Configurable certificates are generated by the user and pasted into Ops Manager configuration panes where needed. Examples include certificates that terminate SSL traffic into VMware Tanzu Application Service for VMs (TAS for VMs), or authenticate a Single Sign-On for VMware Tanzu service plan to an external SAML server.

To rotate SAML certificates for both TAS for VMs and the Single Sign-On for VMware Tanzu service, see Rotating Identity Provider SAML Certificates.

Warning: This procedure does not rotate the Ops Manager root certificate authority (CA) or other CAs in your deployment. To rotate CAs and leaf certificates, see Rotating CAs and Leaf Certificates.

Prerequisites

Before you rotate certificates:

  • You must have Ops Manager v2.10.

  • You must reset any certificates that were manually set in CredHub on Ops Manager v2.6 and earlier to prevent them from being rotated with other certificates generated by CredHub. To find and reset any manually set certificates in CredHub, see Reviewing Manually Set Certificates in CredHub.

  • You cannot have any version of VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) installed and rotate CredHub-managed certificates with the Ops Manager API. Instead, you can follow this procedure to rotate certificates managed by Ops Manager. Then, to rotate certificates managed in CredHub, see Advanced Certificate Rotation with CredHub Maestro.

  • Your product tile must have one of the following versions installed to rotate CredHub-managed certificates with the Ops Manager API:

    • TAS for VMs v2.7.21 or later
    • TAS for VMs v2.8.2 or later
    • Isolation Segment tile v2.7.21 or later
    • Isolation Segment tile v2.8.2 or later
    • Small Footprint TAS for VMs v2.7.21 or later
    • Small Footprint TAS for VMs v2.8.2 or later
    • TAS for VMs [Windows] v2.7.17 or later
    • TAS for VMs [Windows] v2.8.2 or later

If you have an earlier version of a product tile listed above, use this procedure to rotate certificates managed only by Ops Manager. Then, to rotate certificates managed in CredHub, see Advanced Certificate Rotation with CredHub Maestro.

Procedure

To rotate configurable leaf certificates:

  1. Navigate to the Ops Manager Installation Dashboard.

  2. For each certificate you want to rotate:

    1. Find the text field where the certificate is configured in the Ops Manager UI.
      • The product_guid field in the Ops Manager API output can help identify the tile in which the certificate is configured. For example, the prefix p-bosh- refers to the BOSH Director tile, and the prefix cf- refers to the TAS for VMs tile.
      • The property_reference field in the Ops Manager API output can often help identify the configuration pane in which the certificate is configured. For example, the uaa.service_provider_key_credentials property is configured in the UAA pane of the TAS for VMs tile.
      • You might need to look through multiple configuration panes to identify where a certificate is configured.
    2. Paste a new value for the certificate into the field.
    3. Click Save at the bottom of each pane in which you have provided new certificates.
  3. Return to the Ops Manager Installation Dashboard.

  4. Click Review Pending Changes.

  5. Click Apply Changes.

Troubleshooting

The Ops Manager API invokes CredHub Maestro when rotating certificates. If a certificate rotation API command is unsafe, CredHub Maestro stops the command and returns one or more safety violations.

For example, CredHub Maestro stops a certificate rotation API command if you try to perform certificate rotation steps in the wrong order. Because performing these steps in the wrong order can make your deployment unstable or cause downtime, CredHub Maestro stops the command and returns an error message.

For information about how to troubleshoot safety violation errors that are returned when rotating certificates, see Troubleshooting CredHub Maestro Safety Violations During Certificate Rotation.