When rotating root_ca in the platform with installed TKGI tile, integration with maestro is disabled and some credhub certificates are not rotated as part of the root-ca rotation procedure described in this document 

Rotating CAs and leaf certificates using the Tanzu Operations Manager API

This is specific to environments where TKGI tile is installed.

This behaviour is set due to many TKGI certs are not safe to be rotated with Maestro. Because OpsMan API tries to rotate all certificates in Credhub, the integration with Maestro is disabled when TKGI tile is installed. When integration is disabled, OpsMan falls back to a pre-Maestro procedure thats rotates leafs, but does not rotate the CA. 

Customers should follow the procedures described in the following document to rotate TKGI certificates Tanzu Kubernetes Grid Integrated Edition Certificates

To rotate opsmgr/bosh_dns/tls_ca in environment where TKGI is installed, use this procedure Rotate a single CA and its leaf certificates