After regenerating leaf certificates an Apply Changes, or redeploy of Concourse, is needed in order for the new leaf certs to be consumed. In this scenario you will find new versions of DNS leaf certs in the maestro topology that have not been consumed even after an Apply Changes or after redeploying Concourse. An example you might find in the maestro topology for a leaf cert would look like this:

      - version_id: <id redacted>
        active: false
        signed_by_version: <CA redacted>
        deployment_names: []
        signing: false
        transitional: false
        certificate_authority: false
        generated: true
        valid_until: '2026-01-14T18:10:19Z'
      - version_id: <id redacted>
        active: true
        signed_by_version: <CA redacted>
        deployment_names:
        - concourse-a1
        signing: false
        transitional: false
        certificate_authority: false
        generated: true
        valid_until: '2025-01-28T21:28:30Z'

The customer may have opted to use the "Enable automatic rotation of the BOSH DNS CA certificate (experimental)" feature, which requires them to deploy a new stemcell in order for new versions of the DNS certs to be consumed.

Redeploying the tile/Concourse with an additional flag of "--force-latest-variables" should bypass the requirement of deploying a new stemcell and consume the new certs. Example deployment:

bosh -d <deployment> deploy <concourse manifest yml> --force-latest-variables