For the Telemetry tile v.1.2.1 and earlier this tile's certificates did not rotate under the main API. If you are on a version higher than v.1.2.1 please use the main API rotation procedure

Following this documentation, Rotate a Single CA and Its Leaf Certificates, these steps cover how to rotate the /telemetry-ca-cert in Ops Manager:
 

Note: If you are running Ops Manager v2.8 or v2.9, you may need to run the additional command maestro update-transitional latest --name "/telemetry-ca-cert" . In the maestro version packaged with Ops Manager 2.10, this is done automatically.

1. maestro regenerate ca --name "/telemetry-ca-cert"

2. Run Apply Changes on the entire foundation.

Note: Be sure that each service tile has the Upgrade all service instances errand enabled.

3. Run the command: maestro update-transitional signing --name "/telemetry-ca-cert"

4. Run the command: maestro regenerate leaf --signed-by "/telemetry-ca-cert"

5. Run Apply Changes on the entire foundation.

Note: Be sure that each service tile has the Upgrade all service instances errand enabled.

6. Run the command: maestro update-transitional remove --name "/telemetry-ca-cert"

7. Run Apply Changes on the entire foundation

Note: Confirm each service tile has the Upgrade all service instances errand enabled.

If you encounter issues with the above method, please contact Tanzu Support.