Page last updated:
This topic describes the types of certificates used in VMware Tanzu Operations Manager (Ops Manager) that require planned rotation.
Ops Manager uses certificate authorities (CAs) and various leaf certificates. CAs are self-signed certificates that issue leaf certificates. CAs can be custom or generated by Ops Manager.
Leaf certificates are signed by a CA and are used to identify resources in Ops Manager. Both root CAs and leaf certificates require planned rotation in Ops Manager.
CAs and leaf certificates are stored in Ops Manager or CredHub. You can manage both Ops Manager and CredHub certificates with the Ops Manager API. You can also manage CredHub certificates with CredHub Maestro.
In addition to the types of certificates listed in this topic, some Ops Manager products issue their own tile certificates that are not managed by or visible to the Ops Manager API. These tile certificates do not require planned rotation because they rotate automatically with product upgrades.
VMware Tanzu Application Service for VMs (TAS for VMs) and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) both use tile certificates in addition to their Ops Manager certificates.
The following types of Ops Manager certificates require planned rotation and can be viewed and managed with the Ops Manager API:
Ops Manager root CA: The Ops Manager root CA issues other certificates that Ops Manager uses. The root CA can be an Ops Manager-generated CA or your own custom CA. The Ops Manager root CA expires four years after creation. For more information about viewing the root CAs for Ops Manager, see Listing the Root Certificate Authorities in the Ops Manager API documentation.
Other internal CAs: The following CAs are used primarily for internal purposes:
- BOSH NATS CA: The BOSH NATS CA is rotated automatically when you rotate the Ops Manager root CA.
- BOSH DNS CAs: The BOSH DNS CAs are managed by CredHub and applied automatically.
Other CredHub-managed certificates: You can also manage CAs and leaf certificates stored in CredHub, such as the Diego root CA. In TKGI v1.9 and later, these include the cluster-specfic
etcd_ca_2018CAs and their leaf certificates.
Non-configurable certificates: Non-configurable certificates are leaf certificates either created by a CA stored in Ops Manager, or created and stored by CredHub and managed by Ops Manager calls to the CredHub API. Non-configurable certificates are issued directly by the Ops Manager root CA, or by intermediate CAs in a chain of trust originated by the root CA. Non-configurable certificates expire after two years. For more information about about viewing non-configurable leaf certificates, see Getting Information About Certificates from Products in the Ops Manager API documentation. For more information about generating non-configurable leaf certificates, see Generating New Certificates in the Ops Manager API documentation.
Configurable certificates: Configurable certificates are leaf certificates supplied by the user and pasted into configuration fields in Ops Manager. Some configuration panes include a Generate RSA Certificate button that supplies valid certificates, but users can obtain configurable certificates from elsewhere. Configurable certificates generated by Ops Manager typically expire after two years. For more information about viewing configurable leaf certificates, see Getting Information About Certificates from Products in the Ops Manager API documentation.
Non-rotatable certificates: Non-rotatable certificates are leaf certificates that, like non-configurable certificates, are issued by the root CA. Unlike non-configurable certificates, non-rotatable certificates cannot be rotated by the Ops Manager API. For more information about viewing non-rotatable leaf certificates, see Getting Information About Certificates from Products in the Ops Manager API documentation.