Reviewing and Resetting Manually Set Certificates in BOSH CredHub

Page last updated:

This topic describes how you can identify and update certificates that either you or another operator have set manually in BOSH CredHub.

Overview

A manually set certificate is a certificate that an operator has added directly to BOSH CredHub through the CredHub CLI instead of using a CredHub-generated certificate.

For example, you or another operator may have provided an existing certificate to BOSH CredHub as described in the Preparing for TLS procedure of the MySQL for PCF documentation.

To ensure that Ops Manager does not rotate these certificates alongside CredHub-generated certificates, you must ensure that the generated field of all manually set certificates is set to false in CredHub.

In this procedure, you use the CredHub CLI to review existing certificates and then check for manually set certificates. If you find any manually set certificates that require updates, you can use the CredHub CLI to reset the certificate.

Find BOSH Client Credentials and BOSH Director IP Address

You need the BOSH client name and client secret to use the CredHub CLI.

To find the BOSH CredHub client name and client secret, do the following:

  1. In the Ops Manager Installation Dashboard, click the BOSH Director tile.
  2. Click the Credentials tab.
  3. In the BOSH Director section, click the link next to the BOSH Commandline Credentials. The 'Credentials'
    page includes several rows of credentials that are used in BOSH Director's configuration. 
    The table row called out in this screenshot is the BOSH Commandline Credentials.
    Next to BOSH Commandline Credentials is a hyperlink entitled 'Link to Credential'.
  4. Record the values for BOSH_CLIENT and BOSH_CLIENT_SECRET.

    Here is an example of the credentials page:

    {"credential":"BOSH_CLIENT=ops_manager
    BOSH_CLIENT_SECRET=abcdefghijklm123456789
    BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate
    BOSH_ENVIRONMENT=10.0.0.5 bosh "}
    
  5. Click on the Status tab.

  6. In the BOSH Director row, locate and record the IP address of BOSH Director. For example, 10.0.0.5.

Target and Log in to the BOSH CredHub API Server

You can run CredHub CLI commands on the Ops Manager VM.

To login and access the CredHub API, do the following:

  1. SSH into the Ops Manager VM. For IaaS-specific instructions on how to SSH, see see Advanced Troubleshooting with the BOSH CLI.

  2. Set the CredHub API target of the CLI by running the following command:

    credhub api https://BOSH-DIRECTOR:8844 --ca-cert=/var/tempest/workspaces/default/root_ca_certificate
    


    Where BOSH-DIRECTOR is the IP address of the BOSH Director VM.

    For example:

    $ credhub api https://10.0.0.5:8844 --ca-cert=/var/tempest/workspaces/default/root_ca_certificate
    

  3. Log in to CredHub by running the following command:

    credhub login --client-name=CREDHUB-CLIENT-NAME --client-secret=CREDHUB-CLIENT-SECRET
    

    Where:

Check Certificates in CredHub

After logging in to CredHub, you can query the CredHub API on the command line.

To retrieve a list of CredHub certificates, do the following:

  1. To retrieve a list of all the certificates stored in CredHub, run the following command:

    credhub curl -p "/api/v1/certificates" -X GET | jq
    
  2. In the JSON output, check the value of the generated field of each certificate. For example:

    {
    "certificates": [
    {
      "name": "/services/tls_ca",
      "id": "1b378f9c-d3dc-4519-9cde-20397f9d8d6b",
      "versions": [
        {
          "id": "3e41bba8-1373-4b51-b774-d65d9a0b87b4",
          "expiry_date": "2020-09-19T14:36:36Z",
          "transitional": false,
          "certificate_authority": true,
          "self_signed": true,
          "generated": null
        },
    
  3. For each certificate where generated value is null, perform the procedure described in Reset a Certificate in CredHub.

Reset a Certificate in CredHub

To reset a certificate in CredHub, do the following:

  1. Retrieve a manually set certificate by running the following commands:

    credhub get -n MY-SET-CERTIFICATE -k certificate > /tmp/certificate.yml
    credhub get -n MY-SET-CERTIFICATE -k ca > /tmp/ca.yml
    credhub get -n MY-SET-CERTIFICATE -k private_key > /tmp/private_key.yml
    

    Where MY-SET-CERTIFICATE is the value of the name field in the manually set certificate you want to retrieve.

    For example:

    $ credhub get -n /services/tls_ca -k certificate > /tmp/certificate.yml
    $ credhub get -n /services/tls_ca -k ca > /tmp/ca.yml
    $ credhub get -n /services/tls_ca -k private_key > /tmp/private_key.yml
    

  2. Reset the certificate depending on the certificate type.

    • If the retrieved certificate is a root CA certificate, run the following:

      credhub set -n MY-SET-CERTIFICATE -t certificate -r /tmp/ca.yml -c /tmp/certificate.yml -p /tmp/private_key.yml
      

      Where MY-SET-CERTIFICATE is the name of the manually set certificate you want to reset.

      For example:

      $ credhub set -n /services/tls_ca -t certificate -r /tmp/ca.yml -c /tmp/certificate.yml -p /tmp/private_key.yml
      

    • If the retrieved certificate is an intermediate or leaf certificate, run the following:

      credhub set -n MY-SET-CERTIFICATE -t certificate -c /tmp/certificate.yml -p /tmp/private_key.yml -m NAME-OF-SIGNING-CA
      

      Where:

      • MY-SET-CERTIFICATE is the name of the manually set certificate you want to reset.
      • NAME-OF-SIGNING-CA is the name of the signing root CA certificate.

        For example:
        $ credhub set -n /opsmgr/cf-123455677890/some_service_certificate -t certificate -c /tmp/certificate.yml -m /services/tls_ca