The Ops Manager API manages and lists internal Certificate Authorities (CAs) and leaf certificates that enable Tanzu Application Service (TAS) for VMs components to communicate with each other securely using TLS. It can also list certificates used externally, such as SAML certificates that authenticate to an external identity provider.

For more information about the CAs and leaf certificates visible to the Ops Manager API, see Certificate Types.

Rotate CAs and leaf certificates before they expire to avoid downtime for your foundation.

To rotate certificates in TAS for VMs, first check the expiration dates of all certificates. Then, based on the types of certificates that expire soon, follow a certificate rotation procedure to replace expiring certificates and redeploy BOSH to apply change.

This section describes how to manually check the expiration dates of the CAs and leaf certificates that the Ops Manager API lists and manages. It also explains how to identify the types of certificates that require manual rotation.

To check certificate expiration dates and types by TAS for VMs version:

• Tanzu Application Service (TAS) for VMs 2.4
• Tanzu Application Service (TAS) for VMs 2.5
• Tanzu Application Service (TAS) for VMs 2.6
• Tanzu Application Service (TAS) for VMs 2.7
• Tanzu Application Service (TAS) for VMs 2.8

After identifying the types of certificates that expire soon, you can determine which certificate rotation procedure to follow using this KB article. 

To configure Concourse to automatically monitor expiring certificates, you can use Platform Automation. For more information, see expiring-certificates in the Platform Automation documentation.