Rotating Non-Configurable Leaf Certificates

Page last updated:

Warning: Pivotal Operations Manager v2.4 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to rotate non-configurable leaf certificates for your Pivotal Cloud Foundry (PCF) deployment. To rotate all certificates in your PCF deployment, see Rotating the Root CA and Leaf Certificates.

Overview

This procedure rotates non-configurable leaf certificates visible to the Ops Manager API.

Warning: This procedure does not rotate the Ops Manager root certificate authority (CA) or other CAs in your deployment. To rotate CAs and leaf certificates, see Rotating the Root CA and Leaf Certificates.

Procedure

To rotate non-configurable leaf certificates:

  1. Use curl to make an API call to regenerate all non-configurable certificates. Run:

    curl "https://OPS-MANAGER-FQDN/api/v0/certificate_authorities/active/regenerate" \
          -X POST \
          -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
          -H "Content-Type: application/json" \
          -d '{}'
          -i
    

    Where:

    • OPS-MANAGER-FQDN is the fully-qualified domain name (FQDN) of your Ops Manager deployment.
    • UAA-ACCESS-TOKEN is your UAA access token.

      The API returns a successful response:
      HTTP/1.1 200 OK
  2. Navigate to the Ops Manager Installation Dashboard.

  3. If you have any on-demand service tiles installed, for each on-demand service tile:

    1. Click the tile.
    2. Click the Errands tab.
    3. Enable the Upgrade All Service Instances errand. Running this errand is necessary to push CredHub certificate updates to each service instance.
    4. Click Review Pending Changes.
    5. Click Apply Changes.
  4. If you do not have any on-demand service tiles installed:

    1. Click Review Pending Changes.
    2. Click Apply Changes.