Rotating Configurable Leaf Certificates

Page last updated:

Warning: Pivotal Operations Manager v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to rotate configurable leaf certificates for your Pivotal Cloud Foundry (PCF) deployment. To rotate all certificates in your PCF deployment, see Rotating the Root CA and Leaf Certificates.

Overview

Configurable certificates are generated by the user and copied into Ops Manager configuration panes where needed. Examples include certificates that terminate SSL traffic into Pivotal Application Service (PAS), or authenticate a Single Sign-On (SSO) for PCF service plan to an external SAML server.

To rotate SAML certificates for both PAS and the SS0 service, see Rotating Identity Provider SAML Certificates.

Warning: This procedure does not rotate the Ops Manager root certificate authority (CA) or other CAs in your deployment. To rotate CAs and leaf certificates, see Rotating the Root CA and Leaf Certificates.

Procedure

To rotate configurable leaf certificates:

  1. Navigate to the Ops Manager Installation Dashboard.

  2. For each certificate you want to rotate:

    1. Find the text field where the certificate is configured in the Ops Manager UI.
    2. The product_guid field in the Ops Manager API output can help identify the tile in which the certificate is configured. For example, the prefix p-bosh- refers to the BOSH Director tile, and the prefix cf- refers to the PAS tile.
    3. The property_reference field in the Ops Manager API output can often help identify the configuration pane in which the certificate is configured. For example, the uaa.service_provider_key_credentials property is configured in the UAA pane of the PAS tile.
    4. You might need to look through multiple configuration panes to identify where a certificate is configured.
    5. Paste a new value for the certificate into the field.
    6. Click Save at the bottom of each pane in which you have provided new certificates.

  3. Return to the Ops Manager Installation Dashboard.

  4. Click Review Pending Changes.

  5. Click Apply Changes.