This article describes how to get the expiry dates of all CA's & certificates in the PKS deployment and clusters.

Product Version: 1.6

1. In the Ops Manager VM, set the environment variables for the Bosh CLI credentials. Get the value of “Bosh Commandline Credentials” from Director tile->Credentials->Bosh Commandline Credentials.

$ export BOSH_CLIENT=ops_manager BOSH_CLIENT_SECRET=xxxxxxxx BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate BOSH_ENVIRONMENT=172.x.x.1

2. Run the following to set more needed environment variables for credhub cli to work.

$ export CREDHUB_CLIENT=$BOSH_CLIENT CREDHUB_SECRET=$BOSH_CLIENT_SECRET
$ credhub api --server $BOSH_ENVIRONMENT:8844 --ca-cert $BOSH_CA_CERT
$ credhub login

3. Run the following to get all the deployment ID’s in the foundation. For this purpose, we would only want to note down the PKS deployment (e.g., `pivotal-container-service-<uuid>`) and the cluster deployments (e.g., `service-instance_<uuid>`).

$ bosh deployments --column=name

4. For each of the deployment name from output of step 3, run the following command. Please change ‘deployment-name’ to the actual deployment name you noted down from step 3.

$ credhub export -p /p-bosh/deployment-name > deployment-name_vars.yaml

5. Download and run the shell script to get the cert & CA expiry dates from the credhub output files. The below command will output to report.txt that you can open to review.

$ ./review_yamls.sh > report.txt