Accessing BOSH CredHub with the CredHub CLI

Page last updated:

Warning: Pivotal Operations Manager v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic provides the procedure for accessing BOSH CredHub with the CredHub CLI.

For example, you may need to access BOSH CredHub to rotate the Services TLS CA and its leaf certificates. For more information, see Rotating the Services TLS CA and Its Leaf Certificates.


Ops Manager stores some of its internal certificate authority (CA) and non-CA certificates in the BOSH CredHub credentials store. For more information, see BOSH CredHub.

To access the BOSH CredHub credentials store, you must retrieve credentials from the BOSH Director and then use the credentials to log in to CredHub from the Ops Manager VM.


To access BOSH CredHub:

  1. In the Ops Manager Installation Dashboard, click the BOSH Director tile.

  2. Click the Credentials tab.

  3. In the BOSH Director section, click the link to the BOSH Commandline Credentials.

  4. Record the values for BOSH_CLIENT and BOSH_CLIENT_SECRET.
    For example:


    The BOSH_CLIENT is the BOSH CredHub client name and the BOSH_CLIENT_SECRET is the BOSH CredHub client secret.

  5. Follow the procedure in Gather Credential and IP Address Information to obtain the information needed to log in to the BOSH Director VM. Record the IP address for the BOSH Director and the Director Credentials.

  6. Log in to the Ops Manager VM by following the procedure in Log in to the Ops Manager VM with SSH.

  7. From the Ops Manager VM, set the API target of the CredHub CLI to your BOSH CredHub server by running the following command:

    credhub api  \
    https://BOSH-DIRECTOR-IP:8844 \

    Where BOSH-DIRECTOR-IP is the IP address of the BOSH Director VM you recorded above.

    For example:

    $ credhub api \ \

  8. Log in to CredHub by running the following command:

    credhub login \
    --client-name=CREDHUB-CLIENT-NAME \


    • CREDHUB-CLIENT-NAME is the value you recorded for BOSH_CLIENT earlier in this procedure.
    • CREDHUB-CLIENT-SECRET is the value you recorded for BOSH_CLIENT_SECRET earlier in this procedure.

    For example:

    $ credhub login \
    --client-name=credhub \