Rotating Non-Configurable Leaf Certificates

Page last updated:

This topic describes how to rotate non-configurable leaf certificates for your Ops Manager deployment. To rotate all certificates in your Ops Manager deployment, see Rotating CAs and Leaf Certificates.


This procedure rotates non-configurable leaf certificates visible to the Ops Manager API, whether they are managed and stored by Ops Manager directly, or by CredHub at Ops Manager request.

Warning: This procedure does not rotate the Ops Manager root certificate authority (CA) or other CAs in your deployment. To rotate CAs and leaf certificates, see Rotating CAs and Leaf Certificates.

Before rotating non-configurable leaf certificates, you must:


To rotate non-configurable leaf certificates:

  1. Use curl to make an API call to regenerate all non-configurable certificates. Run:

    curl "https://OPS-MANAGER-FQDN/api/v0/certificate_authorities/active/regenerate" \
          -X POST \
          -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
          -H "Content-Type: application/json" \
          -d '{}'


    • OPS-MANAGER-FQDN is the FQDN of your Ops Manager deployment.
    • UAA-ACCESS-TOKEN is your UAA access token.

      The API returns a successful response:
      HTTP/1.1 200 OK
  2. Navigate to the Ops Manager Installation Dashboard.

  3. If you have any on-demand service tiles installed, for each on-demand service tile:

    1. Click the tile.
    2. Click the Errands tab.
    3. Enable the Upgrade All Service Instances errand. Running this errand is necessary to push CredHub certificate updates to each service instance.
    4. Click Review Pending Changes.
    5. Click Apply Changes.
  4. If you do not have any on-demand service tiles installed:

    1. Click Review Pending Changes.
    2. Click Apply Changes.