Checking Expiration Dates and Certificate Types

Page last updated:

This topic describes how to check the expiration dates of the Ops Manager root certificate authority (CA) and leaf certificates that the Ops Manager API manages. It also explains how to identify the types of leaf certificates that require manual rotation.

Overview

Use the Ops Manager API to manually check the expiration dates of the certificates that the Ops Manager API manages:

• The Ops Manager root CA. For more information, see Check Root CA Expiration Date below.

• The leaf certificates visible to the Ops Manager API, whether they are stored in Ops Manager directly or stored in CredHub. You can also check the types of leaf certificates that expire soon using the Ops Manager API. After identifying the types of certificates that expire soon, you can determine which certificate rotation procedure to follow. For more information, see Check Leaf Certificate Expiration Dates and Types below.

Check Root CA Expiration Date

This procedure describes how to check the expiration date for the Ops Manager root CA. The Ops Manager root CA expires four years after creation.

To check the Ops Manager root CA expiration date:

1. Follow the procedure in Using Ops Manager API to target and authenticate with the Ops Manager User Account and Authentication (UAA) server. Record your Ops Manager access token, and use it for UAA-ACCESS-TOKEN in the steps below.

   Note: When you record your Ops Manager access token, remove any newline characters such as \n.

2. To retrieve the list of Ops Manager certificates, call the /deployed/certificates endpoint of the Ops Manager API by running:

     curl "https://OPS-MANAGER-FQDN/api/v0/deployed/certificates" \
           -H "Authorization: Bearer UAA-ACCESS-TOKEN"
   

   Where:

   • OPS-MANAGER-FQDN is the fully-qualified domain name (FQDN) of your Ops Manager deployment.
   • UAA-ACCESS-TOKEN is the access_token value you recorded in the previous step.

     Note: To make the JSON output more readable, pipe it to jq or another text editor with JSON formatting.

3. In the certificate_authorities list returned, if there is more than one, find the CA with the active property set to true.

4. Determine the expiration date of the active CA by checking its expires_on value. For example, the root CA shown below expires on September 5, 2019:

   {
     "certificate_authorities": [
       {
         "guid": "9c9a110c8f82a1e4aaca",
         "issuer": "Pivotal",
         "created_on": "2017-09-05T22:47:53Z",
         "expires_on": "2019-09-05T22:47:53Z",
         "active": true,
         "cert_pem": "-----BEGIN CERTIFICATE-----\
         [...]
         \n-----END CERTIFICATE-----\n"
   

5. After determining when the Ops Manager root CA expires, check your deployment’s leaf certificate expiration dates and types by following the procedure in Check Leaf Certificate Expiration Dates and Types below.

Check Leaf Certificate Expiration Dates and Types

This procedure describes how to check the expiration dates of leaf certificates using the deployed/certificates Ops Manager API endpoint. It also describes how to identify non-configurable, configurable, and non-rotatable leaf certificates in the output from the deployed/certificates endpoint.

To check the expiration dates of leaf certificates and identify the types of leaf certificates that expire soon:

1. Check the system for certificates that expire within a given time interval by running:

   curl "https://OPS-MANAGER-FQDN/api/v0/deployed/certificates?expires_within=TIME" \
         -H "Authorization: Bearer UAA-ACCESS-TOKEN"
         -i
   

   Where:

   • OPS-MANAGER-FQDN is the FQDN of your Ops Manager deployment.
   • UAA-ACCESS-TOKEN is the access_token value you recorded in the previous section.
   • TIME is integer-letter code.
     • Valid letter codes are d for days, w for weeks, m for months, and y for years.
       For example, querying to https://OPS-MANAGER-FQDN/api/v0/deployed/certificates?expires_within=6m searches for certificates expiring within six months.

       Note: To make the JSON output more readable, pipe it to jq or another text editor with JSON formatting.

2. The deployed/certificates output lists all CAs and leaf certificates visible to the Ops Manager API, whether they are stored in Ops Manager directly or stored in CredHub. To determine the expiration date and type for each certificate listed:

   1. Determine the expiration date from the expires_on value.
   2. For any certificates expiring soon, use the following rules to identify their types:
      • Non-rotatable certificates: Non-rotatable certificates have the following property value:
        • variable_path is /opsmgr/bosh_dns/tls_ca
      • Non-configurable certificates: Non-configurable leaf certificates have the following property values:
        • configurable is false
        • location is either ops_manager or credhub
      • Configurable certificates: Configurable leaf certificates have the following property values:
        • configurable is true

3. After you identify the list of certificates that expire soon, follow one of the procedures listed in Certificate Rotation Procedures in Overview of Certificate Rotation.