Rotating Configurable Leaf Certificates
Page last updated:
This topic describes how to rotate configurable leaf certificates for your Pivotal Platform deployment. To rotate all certificates in your Pivotal Platform deployment, see Rotating CAs and Leaf Certificates.
Overview
Configurable certificates are generated by the user and pasted into Ops Manager configuration panes where needed. Examples include certificates that terminate SSL traffic into Pivotal Application Service (PAS), or authenticate a Pivotal Single Sign-On (SSO) service plan to an external SAML server.
To rotate SAML certificates for both PAS and the SS0 service, see Rotating Identity Provider SAML Certificates.
Warning: This procedure does not rotate the Ops Manager root certificate authority (CA) or other CAs in your deployment. To rotate CAs and leaf certificates, see Rotating CAs and Leaf Certificates.
Procedure
To rotate configurable leaf certificates:
Navigate to the Ops Manager Installation Dashboard.
For each certificate you want to rotate:
- Find the text field where the certificate is configured in the Ops Manager UI.
- The
product_guid
field in the Ops Manager API output can help identify the tile in which the certificate is configured. For example, the prefixp-bosh-
refers to the BOSH Director tile, and the prefixcf-
refers to the PAS tile. - The
property_reference
field in the Ops Manager API output can often help identify the configuration pane in which the certificate is configured. For example, theuaa.service_provider_key_credentials
property is configured in the UAA pane of the PAS tile. - You might need to look through multiple configuration panes to identify where a certificate is configured.
- The
- Paste a new value for the certificate into the field.
- Click Save at the bottom of each pane in which you have provided new certificates.
- Find the text field where the certificate is configured in the Ops Manager UI.
Return to the Ops Manager Installation Dashboard.
Click Review Pending Changes.
Click Apply Changes.