Rotating Certificates

Rotate Services TLS Certificate Authority
Certificates Used by Tanzu SQL for VMs

Note: In v2.9 and later, MySQL for VMware Tanzu is named VMware Tanzu SQL with MySQL for VMs.

Page last updated:

This topic describes how to check expiration dates and rotate certificates used by VMware Tanzu SQL with MySQL for VMs.

Rotate Services TLS Certificate Authority

To rotate the Services TLS CA and its leaf certificates, use one of the following procedures:

Ops Manager v2.10: See Rotating the Services TLS CA and Its Leaf Certificates.
Ops Manager v2.9: See Rotating the Services TLS CA and Its Leaf Certificates.
Ops Manager v2.8: See Rotating the Services TLS CA and Its Leaf Certificates.
Ops Manager v2.7: See Rotating the Services TLS CA and Its Leaf Certificates.

Ops Manager v2.9 and later is compatible with CredHub Maestro. Tanzu SQL for VMs v2.8 and later is compatible with CredHub Maestro.

Certificates Used by Tanzu SQL for VMs

If you are using Ops Manager v2.9 or later, you can rotate all MySQL certificates in the table below using CredHub Maestro. For Ops Manager v2.9 and earlier, you can rotate the Services TLS CA using a manual procedure. For more information about procedures to use to rotate certificates, see Rotate Services TLS Certificate Authority above.

The following table lists the certificates used by Tanzu SQL for VMs:

Certificate	Rotated by Tanzu SQL for VMs?
`/services/tls_ca`	No
`/opsmgr/pivotal-mysql-GUID/adbr_api_cert`	No
`/p-bosh/pivotal-mysql-GUID/agent_ca_2_9_x`	No
`/p-bosh/pivotal-mysql-GUID/agent_client_ssl_2_9_x`	No
`/p-bosh/pivotal-mysql-GUID/agent_server_ssl_2_9_x`	No
`/p-bosh/pivotal-mysql-GUID/services_tls_accessor_cert`	No
`/p-bosh/service-instance_GUID/adbr_agent_cert`	No
`/p-bosh/service-instance_GUID/agent_ca`	No
`/p-bosh/service-instance_GUID/agent_client_tls`	No
`/p-bosh/service-instance_GUID/agent_server_tls`	No
`/p-bosh/service-instance_GUID/mysql_server_tls`	No
`/p-bosh/service-instance_GUID/pxc_internal_ca`	No
`/p-bosh/service-instance_GUID/pxc_tls_ca`	No
`/p-bosh/service-instance_GUID/pxc_tls_server`	No
`/p-bosh/service-instance_GUID/restore_ca`	No
`/p-bosh/service-instance_GUID/restore_client_tls`	No
`/p-bosh/service-instance_GUID/restore_server_tls`	No
`/p-bosh/service-instance_GUID/streaming_backup_ca`	Yes
`/p-bosh/service-instance_GUID/streaming_backup_server_cert`	Yes

In the table above, GUID is the GUID for the service instance. To find the GUID for your service instance, follow the procedure in Find Information about Your Service Instance.

If you are using a PXC-type database, Tanzu SQL for VMs rotates the Galera certificate by renaming it.

Create a pull request or raise an issue on the source for this page in GitHub