Concourse set up on BOSH does not rotate certificates using the API rotation method available, as there is no tile in Ops Manager.

The solution is to use the Maestro Single CA procedure combined with manual deployments to rotate. For more information, refer to the following resources:

• Rotate a Single CA and Its Leaf Certificates
• Understanding and Rotating Single CA certificates using Maestro

Refer to Understanding and Rotating Single CA certificates using Maestro for examples of the topology view in this procedure. 

1. Verify that BOSH can perform a manual deployment.

bosh -d concourse manifest > /tmp/concourse.yml
bosh -d concourse deploy /tmp/concourse.yml

2. Next, create the first "transitional:true" version, which will then be delivered to the Concourse deployment VMs. 

maestro regenerate ca --name "/p-bosh/concourse/atc_ca"
maestro regenerate ca --name "/p-bosh/concourse/postgres_ca"

3. Perform a manual deployment to distribute the new certificates.

bosh -d concourse manifest > /tmp/concourse.yml 
bosh -d concourse deploy /tmp/concourse.yml

4. Change the transitional flag and create the new leaf certificates. 

maestro update-transitional signing --name "/p-bosh/concourse/atc_ca"
maestro update-transitional signing --name "/p-bosh/concourse/postgres_ca"
maestro regenerate leaf --signed-by "/p-bosh/concourse/atc_ca"
maestro regenerate leaf --signed-by "/p-bosh/concourse/postgres_ca"

5. Perform a manual deployment to distribute the new certificates.

bosh -d concourse manifest > /tmp/concourse.yml
bosh -d concourse deploy /tmp/concourse.ym

6. Remove the transitional flag to complete the rotation.

maestro update-transitional remove --name "/p-bosh/concourse/atc_ca"
maestro update-transitional remove --name "/p-bosh/concourse/postgres_ca"

7. Perform a manual deployment to distribute the new certificates.

bosh -d concourse manifest > /tmp/concourse.yml
bosh -d concourse deploy /tmp/concourse.ym