Certificate Types

Page last updated:

This topic describes the types of certificates used in Pivotal Platform that require planned rotation.


Pivotal Platform uses a root Certificate Authority (CA) and various leaf certificates. Root CAs are self-signed certificates that issue leaf certificates. Root CAs can be generated by Pivotal or custom.

Leaf certificates are signed by a CA and are used to identify resources in Pivotal Platform. Both root CAs and leaf certificates require planned rotation in Pivotal Platform.

Certificate Types

The following types of Pivotal Platform certificates require planned rotation:

  • Ops Manager Root CA: The Ops Manager root CA issues other certificates that Pivotal Platform uses. The root CA can be a Pivotal-generated CA or your own custom CA. The Ops Manager root CA expires four years after creation. For more information about viewing the root CAs for Ops Manager, see Listing the Root Certificate Authorities.

  • Other internal CAs: The following CAs are used primarily for internal purposes:

    • BOSH NATS CA: The BOSH NATS CA is rotated automatically when you rotate the Ops Manager root CA. The BOSH NATS CA is rotatable in PCF v2.3.10 or later, PCF v2.4.4 or later, and PCF v2.5 or later. For more information, see 2.3.10 in Ops Manager v2.3 Release Notes and 2.4.4 in Ops Manager v2.4 Release Notes.
    • BOSH DNS CAs: The BOSH DNS CAs are applied automatically when you upgrade to PCF v2.3. You cannot rotate the BOSH DNS CAs. To apply all BOSH DNS leaf certificates after upgrading to v2.3, you must rotate all certificates in your environment. For more information, see BOSH DNS Certificate Authority Upgrades in Ops Manager v2.3 Release Notes.
  • Non-configurable Certificates: Non-configurable certificates are leaf certificates either created by a CA stored in Ops Manager, or created and stored by CredHub and managed by Ops Manager calls to the CredHub API. Non-configurable certificates are issued directly by the Ops Manager root CA, or by intermediate CAs in a chain of trust originated by the root CA. Non-configurable certificates expire after two years. For more information about about viewing non-configurable leaf certificates, see Getting Information About Certificates for Products. For more information about generating non-configurable leaf certificates, see Generating New Certificates.

  • Configurable Certificates: Configurable certificates are leaf certificates supplied by the user and pasted into configuration fields in Ops Manager. Some configuration panes include a Generate RSA Certificate button that supplies valid certificates, but users can obtain configurable certificates from elsewhere. Configurable certificates generated by Ops Manager typically expire after two years. For more information about viewing configurable leaf certificates, see Getting Information About Certificates for Products.

  • Non-rotatable Certificates: Non-rotatable certificates are leaf certificates that, like non-configurable certificates, are issued by the root CA. Unlike non-configurable certificates, non-rotatable certificates cannot be rotated by the Ops Manager API. For more information about viewing non-rotatable leaf certificates, see Getting Information About Certificates for Products.

In addition to the types of certificates listed above, some Pivotal products issue their own tile certificates that are not managed by or visible to the Ops Manager API. These tile certificates do not require planned rotation because they rotate automatically with product upgrades.

Pivotal Application Service (PAS) and Pivotal Container Service (PKS) both use tile certificates in addition to their Ops Manager certificates.