This Knowledge Base (KB) article describes how to rotate an already expired root authority call /services/tls_ca. Refer to this article for information on what /services/tls_ca is and how it is used.
OS: all
Normally, when the environment is in a healthy state, you would follow the official rotation procedure from the Broadcom Documentation Operations Manager 2.9 or later.
Given that the /services/tls_ca is currently expired, the system is in a degraded stated. As a result, you only have to perform a subset of the original procedure to recover the environment.
Please follow the procedure that matches your version of Operations Manager.
Use the Broadcom Documentation as your baseline procedure. Perform the following steps sequentially:
1. Obtain or generate a new CA certificate. Add the new CA certificate to the Operations Manager Director Tile and remove the old expired cert.
2. Add the new CA certificate to TAS and Isolation Segment Tiles and remove the old expired cert.
3. Set the new CA certificate as /services/tls_ca.
4. Perform the Third Apply Changes step:
Use the Maestro procedure as your baseline procedure. Perform the following steps sequentially:
credhub generate \ --name="/services/new_ca" \ --type="certificate" \ --no-overwrite \ --is-ca \ --duration=1825 \ --common-name="opsmgr-services-tls-ca"
credhub get -n /services/new_ca -k ca > new_ca.ca credhub get -n /services/new_ca -k certificate > new_ca.certificate credhub get -n /services/new_ca -k private_key > new_ca.private_key credhub set -n /services/tls_ca \ --type=certificate \ --root=new_ca.ca \ --certificate=new_ca.certificate \ --private=new_ca.private_key