How to rotate the "diego-instance-identity-intermediate-ca-2-7" certificate using Maestro
search cancel

How to rotate the "diego-instance-identity-intermediate-ca-2-7" certificate using Maestro

book

Article ID: 298247

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction


The certificate diego-instance-identity-intermediate-ca-2-7 is considered a Certificate Authority (CA) and can be rotated manually using Maestro. However, it does not sit in the CA position, but the Leaf position which may cause some confusion. 

 

NOTE* If you wish to rotate the parent CA "/cf/diego-instance-identity-root-ca-2-6" use the same procedure on just the root-ca-2-6. 

 


Environment

Production: Operations Manager 
Product Version: 2.x, 3.x

Resolution

This article uses the "Single CA" procedure. For more information, refer to Rotate a Single CA and Its Leaf Certificates.

1. First find the exact certificate name. There will be a unique entry for Tanzu Application Service (TAS) deployments and Isolation Segments. 

maestro topology | grep "instance"


You get an output similar to this:

        - name: /p-bosh/cf-a174d82ec27aba604496/diego-instance-identity-intermediate-ca-2-7
          signed_by: /cf/diego-instance-identity-root-ca-2-6


2. Then use the certificate name you already found to perform the rotation. Start by "generating the new CA." 

maestro regenerate ca --name /p-bosh/cf-a174d82ec27aba604496/diego-instance-identity-intermediate-ca-2-7


- NOTE: If you are utilizing Operations Manager 2.8 or 2.9 Please run this command in addition to the above. This command is not available in 2.10 and above as it has been automated.

maestro update-transitional latest --name /p-bosh/cf-a174d82ec27aba604496/diego-instance-identity-intermediate-ca-2-7


3. Apply Changes on the deployment listed in the name. In this example, it is the TAS deployment. 

4. Next, swap the transitional flag:

maestro update-transitional signing --name /p-bosh/cf-a174d82ec27aba604496/diego-instance-identity-intermediate-ca-2-7


5. Apply Changes on the deployment listed in the certificate name. In this example, it is the TAS deployment. 

6. Lastly, remove the transitional flag:

maestro update-transitional remove --name /p-bosh/cf-a174d82ec27aba604496/diego-instance-identity-intermediate-ca-2-7


7. Apply Changes on the deployment listed in the name. In this example, it is the TAS deployment. 

 

Powered by Wolken Software