The configurable leaf certificates generated by Tanzu Operations Manager are leaf certificates that are generated using the Generate RSA Certificate button in the Tanzu Operations Manager UI. In the below example you can see the uaa.service_provider_key_credentials certificate.

The particularity of these certificates is that they are issued by the Tanzu Operations Manager root CA. Therefore, during a root CA rotation any certificate that has been generated through this method will require to be rotated.

Once the configurable certificates have been identified, you will need to decode each one and from the information listed in the certificate you will need to obtain the list of Subject Alternative Names included in the certificate.


You can find the steps to decode a certificate on the knowledge article How to decode a certificate .

Then using the information in this list you can go to the OpsManager UI and generate a new certificate. To do this, you will need to go to the corresponding tile, locate the certificate and click on the Change option under the certificate box.


This will enable the option Generate RSA Certificate under the certificate / key field.



When you click on Generate RSA Certificate the UI will show a prompt to provide the list of Subject Alternative Names required to generate the certificate. If the correct information is not included here, the certificate may be generated but it won't work.


Once you have added the list of values, click on Generate and a new certificate / key pair will be generated by the platform. 
You will now need to scroll down to the en of the page and click on the Save button. 
After all the steps have been completed an Apply Changes on the tile where the certificate was modified will be required. Once this Apply Changes process completes successfully the configurable leaf certificate would be rotated and consumed.