This Knowledge Base (KB) article describes how to rotate an expired /services/tls_ca.

Normally, when the environment is in a healthy state, you would follow the official rotation procedure from the Broadcom Documentation Operations Manager 2.9 or later.

Given that the /services/tls_ca is currently expired, the system is in a degraded stated. As a result, you only have to perform a subset of the original procedure to recover the environment. 

Operations Manager versions 2.9 or later

Use the Maestro procedure as your baseline procedure. Perform the following steps sequentially:
 

• Regenerate the /services/tls_ca:

credhub generate \
--name="/services/new_ca" \
--type="certificate" \
--no-overwrite \
--is-ca \
--duration=1825 \
--common-name="opsmgr-services-tls-ca"

credhub get -n /services/new_ca -k ca > new_ca.ca
credhub get -n /services/new_ca -k certificate > new_ca.certificate
credhub get -n /services/new_ca -k private_key > new_ca.private_key
credhub set -n /services/tls_ca \
--type=certificate \
--root=new_ca.ca \
--certificate=new_ca.certificate \
--private=new_ca.private_key

• Retrieve the new TLS CA from CredHub and add it in Ops Manager -> Bosh Director tile -> Security
• Apply Changes:
  • Ensure that all tiles are checked.
  • Ensure that the "upgrade service instances" errand is enabled for all on-demand service tiles such as MySQL, VMware Tanzu for RabbitMQ, VMware Tanzu GemFire, and VMware Tanzu for Redis.
• Delete Inactive Certificate Versions.