1. From the Operations Manager (Ops Manager) UI, go to Director Tile > Credentials tab and click on the BOSH CLI Credentials and copy it's value except the last word, which is 'bosh'.

2. In the Ops Manager VM, export the variables you copied from step 1.

$ export BOSH_CLIENT=ops_manager BOSH_CLIENT_SECRET=TR7a_xxxxxZ3FliAlCFyXb9kb-zAFnLQ BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate BOSH_ENVIRONMENT=10.x.x.11

3. Export another credhub env var (CREDHUB_CLIENT) by running:

$ export CREDHUB_CLIENT=$BOSH_CLIENT CREDHUB_SECRET=$BOSH_CLIENT_SECRET

4. Target the particular Credhub server in the Director and log in to it.

$ credhub api --server $BOSH_ENVIRONMENT:8844 --ca-cert $BOSH_CA_CERT
$ credhub login

5. Identify the BOSH deployment name of PKS. You can use `bosh vms` to get it. The deployment name is in the form of 'pivotal-container-service-8b5128b4f2927cexxxxx'.

6. Save the certificate data from Credhub into a file, using the `credhub get` command. Then delete the certificate from Credhub using the `credhub delete` command - make sure to replace the deployment name with what name you got in step 5.

$ credhub get -n /p-bosh/pivotal-container-service-8b5128b4f2927cexxxxx/kubo_odb_ca > kubo_odb_ca.credhub.save
$ credhub delete -n /p-bosh/pivotal-container-service-8b5128b4f2927cexxxxx/kubo_odb_ca

Once deleted it should drop off from the list of expiring certificates (w/in 3mos) being returned by Ops Manager API.
 

Note: The next deployment (Apply Changes) will regenerate it with a 1 year validity.