Users may want to why performing an Apply Change in Opsman is required when rotating their services/tls_ca certificate.

The reason users are required to perform an Apply Change in Opsman for the services/tls_ca certificate is because various environment services (such as Healthwatch, appMetric, Splunk, Service Instances, etc) and internal components (such as GoRouter, Diego Cells, CC's) rely on this cert for secure communication. The user must select all tiles for the Apply Changes so that the new services/tls_ca gets propagated across all tiles, services and deployments.

VMware recommends users refer to the Official Docs for rotating the services/tls_ca certificate.

For more information regarding application behavior while rotating /services/tls_ca leaf certs:

• https://knowledge.broadcom.com/external/article/293418/understanding-application-behavior-while.html

For more information regarding why rotating the /services/tls_ca certificate triggers gorouter and diego_cell updates:

• https://knowledge.broadcom.com/external/article/371716/why-servicestlsca-rotation-triggers-goro.html

For more information on how to rotate an already expired /services/tls_ca certificate:

• https://knowledge.broadcom.com/external/article/293614/how-to-rotate-an-already-expired-service.html