Certificate Types

Page last updated:

Warning: Pivotal Operations Manager v2.5 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes the types of certificates used in Pivotal Cloud Foundry (PCF) that require planned rotation.


PCF uses a root Certificate Authority (CA) and various leaf certificates. Root CAs are self-signed certificates that issue leaf certificates. Root CAs can be generated by Pivotal or custom.

Leaf certificates are signed by a CA and are used to identify resources in PCF. Both root CAs and leaf certificates require planned rotation in PCF.

Certificate Types

The following types of PCF certificates require planned rotation:

  • Ops Manager Root CA: The Ops Manager root CA issues other certificates that PCF uses. The root CA can be a Pivotal-generated CA or your own custom CA. The Ops Manager root CA expires four years after creation. For more information about viewing the root CAs for Ops Manager, see Listing the Root Certificate Authorities.

  • Other internal CAs: The following CAs are used primarily for internal purposes:

    • BOSH NATS CA: The BOSH NATS CA is rotated automatically when you rotate the Ops Manager root CA.
    • BOSH DNS CAs: The BOSH DNS CAs are applied automatically.
  • Non-configurable Certificates: Non-configurable certificates are leaf certificates either created by a CA stored in Ops Manager, or created and stored by CredHub and managed by Ops Manager calls to the CredHub API. Non-configurable certificates are issued directly by the Ops Manager root CA, or by intermediate CAs in a chain of trust originated by the root CA. Non-configurable certificates expire after two years. For more information about about viewing non-configurable leaf certificates, see Getting Information About Certificates for Products. For more information about generating non-configurable leaf certificates, see Generating New Certificates.

  • Configurable Certificates: Configurable certificates are leaf certificates supplied by the user and copied into configuration fields in Ops Manager. Some configuration panes include a Generate RSA Certificate button that supplies valid certificates, but users can obtain configurable certificates from elsewhere. Configurable certificates generated by Ops Manager typically expire after two years. For more information about viewing configurable leaf certificates, see Getting Information About Certificates for Products.

  • Non-rotatable Certificates: Non-rotatable certificates are leaf certificates that, like non-configurable certificates, are issued by the root CA. Unlike non-configurable certificates, non-rotatable certificates cannot be rotated by the Ops Manager API. For more information about viewing non-rotatable leaf certificates, see Getting Information About Certificates for Products.

In addition to the types of certificates listed above, some Pivotal products issue their own tile certificates that are not managed by or visible to the Ops Manager API. These tile certificates do not require planned rotation because they rotate automatically with product upgrades.

Pivotal Application Service (PAS) and Enterprise Pivotal Container Service (Enterprise PKS) both use tile certificates in addition to their Ops Manager certificates.