Rotate /services/tls_leaf manually
search cancel

Rotate /services/tls_leaf manually

book

Article ID: 298205

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

Only TAS versions v.2.10.0 - v.2.10.13 feature a complication where this certificate did not rotate under the main API. If you are on a version higher than v.2.10.13 please use the main API rotation procedure

https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/advanced-certificate-rotation.html

 

It may be desired to rotate the /services/tls_leaf manually. This can be done a few different ways. 
 


Environment

Product Version: 2.10

Resolution

  The preferred method is to rotate this certificate when you rotate all of the non-configurable certificates. This normally is performed utilizing the "/regenerate" api call found here: 

 - https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-non-configurable-certs.html

curl "https://OPS-MANAGER-FQDN/api/v0/certificate_authorities/active/regenerate" \
      -X POST \
      -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
      -H "Content-Type: application/json" \
      -d '{}' \
      -i -v


  You can also utilize Maestro to rotate this certificate directly:

 - Maestro ( https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/getting-started-with-maestro-cli.html )

maestro regenerate leaf --name /services/tls_leaf

Only TAS versions v.2.10.0 - v.2.10.13 feature a complication where this certificate did not rotate under the main API. If you are on a version higher than v.2.10.13 please use the main API rotation procedure

https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/advanced-certificate-rotation.html

Bug featured in TAS 2.10:

In TAS 2.10.1 - 2.10.13 there was a bug where this was set as a CA and the above methods do not work. In these versions you either utilize either Credhub or Maestro to rotate these directly:

 - credhub:

*note this is considered a "hard" switch over and may cause complications for applications while the apply change is processing. 

credhub regenerate -n /services/tls_leaf

Apply Change TAS / TAS Iso / TAS Windows

 

- maestro:

*note: This is derived from the "single ca" procedure which is featured here: https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/advanced-certificate-rotation.html#single-rotation

maestro regenerate ca --name /services/tls_leaf
 
Apply Change on TAS / TAS Iso / TAS Windows
 
maestro update-transitional signing --name /services/tls_leaf
 
Apply Change TAS / TAS Iso / TAS Windows
 
maestro update-transitional remove --name /services/tls_leaf
 
Apply Change TAS / TAS Iso / TAS Windows


- maestro brute force, same effect as credhub above:

maestro regenerate ca --name /services/tls_leaf
 
maestro update-transitional signing --name /services/tls_leaf --skip-safety-check
 
maestro update-transitional remove --name /services/tls_leaf --skip-safety-check
 
Apply Change TAS / TAS Iso / TAS Windows

 

 


Powered by Wolken Software