Workaround

The only path to resolution is to upgrade to either Metric Store 1.4.5 or Metric Store 1.5.2 and above.

The problem is that even if you rotate the Metric Store CA "/var/vcap/jobs/metric-store/config/certs/metric_store_ca.crt" (using any standard rotation procedure), the certificate will be rotated but the Metric Store tile itself will not recognize or look for any new certs. The tile will only have have knowledge of the initial certificate that was written during the original install of the tile.

This issue is fixed in Metric Store 1.4.5 and Metric Store 1.5.2 by removing this CA and all of the leaf certificates it signs from the deployment.

After the tile upgrade and Apply Changes, the old certificate will remain in CredHub but will no longer display in any "expiring within" queries, such as the expiring certificates banner in the Ops Manager web interface. After it is no longer attached to a deployment, you can either let it expire or manually delete it.