Rotating Configurable Leaf Certificates
Page last updated:
Warning: Pivotal Operations Manager v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This topic describes how to rotate configurable leaf certificates for your Pivotal Cloud Foundry (PCF) deployment. To rotate all certificates in your PCF deployment, see Rotating the Root CA and Leaf Certificates.
Overview
Configurable certificates are generated by the user and copied into Ops Manager configuration panes where needed. Examples include certificates that terminate SSL traffic into Pivotal Application Service (PAS), or authenticate a Single Sign-On (SSO) for PCF service plan to an external SAML server.
To rotate SAML certificates for both PAS and the SS0 service, see Rotating Identity Provider SAML Certificates.
Warning: This procedure does not rotate the Ops Manager root certificate authority (CA) or other CAs in your deployment. To rotate CAs and leaf certificates, see Rotating the Root CA and Leaf Certificates.
Procedure
To rotate configurable leaf certificates:
Navigate to the Ops Manager Installation Dashboard.
For each certificate you want to rotate:
- Find the text field where the certificate is configured in the Ops Manager UI.
- The
product_guid
field in the Ops Manager API output can help identify the tile in which the certificate is configured. For example, the prefixp-bosh-
refers to the BOSH Director tile, and the prefixcf-
refers to the PAS tile. - The
property_reference
field in the Ops Manager API output can often help identify the configuration pane in which the certificate is configured. For example, theuaa.service_provider_key_credentials
property is configured in the UAA pane of the PAS tile. - You might need to look through multiple configuration panes to identify where a certificate is configured.
- Paste a new value for the certificate into the field.
- Click Save at the bottom of each pane in which you have provided new certificates.
Return to the Ops Manager Installation Dashboard.
Click Review Pending Changes.
Click Apply Changes.