Checking Expiration Dates and Certificate Types
Page last updated:
This topic describes how to check the expiration dates and types of the certificate authorities (CAs) and leaf certificates that the Ops Manager API manages. After identifying the types of certificates that expire soon, you can determine which certificate rotation procedure to follow.
Overview
You must use the Ops Manager API to manually check the expiration dates and types of the certificates that the Ops Manager API manages. For more information, see Procedure below.
To configure Concourse to automatically monitor expiring certificates, you can use Platform Automation. For more information, see expiring-certificates in the Platform Automation documentation.
Procedure
To check certificate expiration dates and types through the Ops Manager API:
Follow the procedure in Using Ops Manager API to target and authenticate with the Ops Manager User Account and Authentication (UAA) server. Record your Ops Manager access token, and use it for
UAA-ACCESS-TOKEN
in the steps below.Note: When you record your Ops Manager access token, remove any newline characters such as
\n
.To retrieve the certificates, call the
/deployed/certificates
endpoint of the Ops Manager API by running:curl "https://OPS-MANAGER-FQDN/api/v0/deployed/certificates" \ -H "Authorization: Bearer UAA-ACCESS-TOKEN" \ -i
Where:
OPS-MANAGER-FQDN
is the fully-qualified domain name (FQDN) of your Ops Manager deployment.UAA-ACCESS-TOKEN
is theaccess_token
value you recorded in the previous step.
More options:- To limit command output to certificates that expire within a given time interval, append
?expires_within=TIME
to the endpoint, replacingTIME
with an integer-letter code.
- Valid letter codes are
d
for days,w
for weeks,m
for months, andy
for years. For example, querying tohttps://OPS-MANAGER-FQDN/api/v0/deployed/certificates?expires_within=6m
searches for certificates expiring within six months.
- Valid letter codes are
- To make the JSON output more readable, you can pipe your
curl
command to jq or another text editor with JSON formatting.
- To limit command output to certificates that expire within a given time interval, append
The
deployed/certificates
output lists all CAs and leaf certificates visible to the Ops Manager API, whether they are stored in Ops Manager directly or stored in CredHub. To determine the expiration date and type for each certificate listed:- Determine the expiration date from the
valid_until
value. For example, the root CA listed below expires on August 12, 2020:{ "configurable": true, "is_ca": true, "property_reference": ".properties.root_ca.fb10484dd5541a273c9d", "property_type": "rsa_cert_credentials", "product_guid": "ops_manager", "location": "ops_manager", "variable_path": null, "issuer": "/CN=ToolsmithsCA", "valid_from": "2019-08-13T15:30:22Z", "valid_until": "2020-08-12T15:30:22Z" }
- For any certificates expiring soon, use the following rules to identify their types:
- Non-rotatable certificates: Non-rotatable certificates have the following property value:
variable_path
is/opsmgr/bosh_dns/tls_ca
- Non-configurable certificates: Non-configurable leaf certificates have the following property values:
variable_path
is not/opsmgr/bosh_dns/tls_ca
configurable
isfalse
location
isops_manager
is_ca
isfalse
- Configurable certificates: Configurable leaf certificates have the following property values:
configurable
istrue
is_ca
isfalse
- CAs: CAs have the following property values:
is_ca
istrue
location
isops_manager
- Non-rotatable certificates: Non-rotatable certificates have the following property value:
- Determine the expiration date from the
After you identify the list of certificates that expire soon, follow one of the procedures listed in Certificate Rotation Procedures in Overview of Certificate Rotation.