In OpsMan UI, when viewing the Certificates tab it is advised that 'No certificates found.' and 'To optimize deployment time please rotate expiring CA certificates prior to any leaf certificates.' similar to below:



When running below command you also see 'curl (60) SSL certificate problem: self-signed certificate in certificate chain.' and 'curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it.'

curl "https://OPS-MANAGER-FQDN/api/v0/certificate_authorities" \
-X GET \
-H "Authorization: Bearer $token" \
-kv | jq '.'

When attempting to Apply Changes on the OpsMan tile you see below error:



and also see below error:

Deploying:
Creating instance 'bosh/0'
Post "https://vcap:<redacted>@x.x.x.x:6868/agent": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-XX-XXTXX:XX:XXZ is after 2025-XX-XXTXX:XX:XXZ
Exit code 1

and BOSH VM will not fully power on.

TKGi 1.18.5
BOSH 3.0.25+LTS-T

The root CA certificate and possibly NATs certificate have expired.

Update the CA/NAT certificates as follows:

Prerequisites:

Obtain the UAA token as per below:

# Target the UAAC Implementation

uaac target https://OPS-MANAGER-FQDN/uaa

# Authenticate your UAAC

$ uaac token owner get
#Example Output
Client ID: opsman
Client secret:
User name: admin <--- Your Opsman Login with Administrator scopes
Password: {Password}

# Export uaac Bearer token to variable $UAA-ACCESS-TOKEN

export UAA-ACCESS-TOKEN=`uaac contexts | grep access_token | awk '{print $2}'`

Generate the root CA certificate as per below:

curl "https://OPS-MANAGER-FQDN/api/v0/certificate_authorities/generate" \
-X POST \
-H "Authorization: Bearer UAA-ACCESS-TOKEN" \
-H "Content-Type: application/json" \
-d '{}'

Obtain CERTIFICATE-GUID of the newly generated root CA certificate using below command:

curl "https://OPS-MANAGER-FQDN/api/v0/certificate_authorities/generate" \
-X POST \
-H "Authorization: Bearer UAA-ACCESS-TOKEN" \
-H "Content-Type: application/json" \
-d '{}'

Activate the root CA certificate as per below:

curl "https://OPS-MANAGER-FQDN/api/v0/certificate_authorities/CERTIFICATE-GUID/activate" \
-X POST \
-H "Authorization: Bearer UAA-ACCESS-TOKEN" \
-H "Content-Type: application/json" \
-d '{}'

Apply Changes

We now have a full set of certificates to populate out. We still have a non-expired Original Root Certificate (CA1) to validate the base communication with. We need to populate out the new NATS and DNS certificate components. This will require an Apply Changes on ALL tiles at once. 

BOSH Director Tile > Director Config > "Recreate All VMs" must be checked. This checkbox re-set after every successful apply change and will need be "checked" every round. Make sure to save this change (at the very bottom). 
The Apply Changes must be on All tiles.
Any service instance tile should be run with the errands "Recreate all service instances" and "Update all service instances" enabled. 
Any remaining VM should be manually recreated following the apply changes with the command set "bosh -d {service_instance} recreate"