For TKGI and BOSH, the NSX Manager CA Certificate is about to expire and needs to be rotated. This certificate is used in two different locations:

Bosh Director tile -> vCenter Config -> NSX CA Cert

Tanzu Kubernetes Grid Integrated Edition tile -> Networking -> NSX Manager CA Cert.

These certificates are referenced under the following names within the certificates page of Ops Manager:

.iaas_configuration.nsx_ca_certificate    

.properties.network_selector.nsx.nsx-t-ca-cert    

This CA certificate will need to be regenerated first on the NSX Manager. Once this is done, it can be updated in the Ops Manager UI.

1. Generate the new NSX-T CA certificate for the NSX Manager. This can be performed by following this article. Please note, if you need assistance with the actually regenerating of the NSX CA, please engage the NSXT support team for assistance.
2. Confirm the new certificate is generated with a matching SAN as the old cert. You can do this as follows:
   
   1. Copy both the new certificate, and the old certificate (from Bosh Director tile -> vCenter Config -> NSX CA Cert) into two separate files. e.g CA-old.txt and CA-new.txt
   2. Run these two openssl commands: openssl x509 -in  CA-old.txt -text -noout | grep -A1 "Subject Alternative" and openssl x509 -in CA-new.txt -text -noout | grep -A1 "Subject Alternative"
   3. Ensure the value for DNS is matching in both commands.
3. Once verified, copy the new CA into two test boxes and save:

   Bosh Director tile -> vCenter Config -> NSX CA Cert

   Tanzu Kubernetes Grid Integrated Edition tile -> Networking -> NSX Manager CA Cert.

4. Apply Change against TKGI tile and enable the Upgrade all clusters errand.

The NSX Manager CA certificate is used to authenticate with the NSX Manager. The process requires creating an IP-based, self-signed certificate and register it with the NSX Manager. During TKGI installation on vSphere with NSX, this certificate must be provided in the NSX Manager CA Cert field in the Networking pane in the TKGI tile.