How to rotate an already expired /services/tls_ca certificate
search cancel

How to rotate an already expired /services/tls_ca certificate

book

Article ID: 293614

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

This Knowledge Base (KB) article describes how to rotate an already expired root authority call /services/tls_ca. Refer to this article for information on what /services/tls_ca is and how it is used.

Environment

OS: all

Resolution

Normally, when the environment is in a healthy state, you would follow the official rotation procedure from the VMware Documentation for Operations Manager 2.4-2.8 and the Maestro Rotation procedure for Operations Manager 2.9 or later.

Given that the /services/tls_ca is currently expired, the system is in a degraded stated. As a result, you only have to perform a subset of the original procedure to recover the environment. 

Please follow the procedure that matches your version of Operations Manager. If you have PCC tile installed, please review additional recovery steps in this KB


Operations Manager versions 2.4-2.8

Use the VMware Doocumentation as your baseline procedure. Perform the following steps sequentially:

1. Obtain or generate a new CA certificate. Add the new CA certificate to the Operations Manager Director Tile and remove the old expired cert.

2. Add the new CA certificate to TAS and Isolation Segment Tiles and remove the old expired cert.

3. Set the new CA certificate as /services/tls_ca.

4. Perform the Third Apply Changes step:
 

  • Ensure all tiles are checked.
  • Ensure the "upgrade service instances" errand is enabled for all on-demand service tiles such as MySQL, VMware Tanzu for RabbitMQ, VMware Tanzu GemFire, and VMware Tanzu for Redis.
  • Verify that Apps can communicate with their bound on-demand services.


Operations Manager versions 2.9 or later

Use the Maestro procedure as your baseline procedure. Perform the following steps sequentially:
 
  • Regenerate the /services/tls_ca:
credhub generate \
--name="/services/new_ca" \
--type="certificate" \
--no-overwrite \
--is-ca \
--duration=1825 \
--common-name="opsmgr-services-tls-ca"
credhub get -n /services/new_ca -k ca > new_ca.ca
credhub get -n /services/new_ca -k certificate > new_ca.certificate
credhub get -n /services/new_ca -k private_key > new_ca.private_key
credhub set -n /services/tls_ca \
--type=certificate \
--root=new_ca.ca \
--certificate=new_ca.certificate \
--private=new_ca.private_key
 
  • Retrieve the new TLS CA from CredHub and add it in Ops Manager -> Bosh director tile -> security
  • Apply Changes:
    • Ensure that all tiles are checked.
    • Ensure that the "upgrade service instances" errand is enabled for all on-demand service tiles such as MySQL, VMware Tanzu for RabbitMQ, VMware Tanzu GemFire, and VMware Tanzu for Redis.
  • Delete Inactive Certificate Versions.


Powered by Wolken Software