Customer's may have certificates that are about to expire that are located in the Trusted Certificates field of the TAS and Director tiles but have no idea or reference of what the certificate is for or how to rotate it. 

In order to determine what the certificate is used for or how to rotate it, there are few things you can check using the credhub cli. In this example, we will use the below certificate:

  {
    "is_ca": false,
    "property_reference": ".properties.routing_custom_ca_certificates",
    "property_type": "ca_certificate",
    "product_guid": "cf-1803e171b6e781f53942",
    "configurable": true,
    "issuer": "/CN=opsmgr-services-tls-ca/O=Pivotal",
    "valid_from": "2020-06-29T22:29:49Z",
    "valid_until": "2025-06-28T22:29:49Z",
    "location": "ops_manager",
    "variable_path": null,
    "rotation_procedure_name": "Standard Configurable Leaf Procedure",
    "rotation_procedure_url": "https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-operations-manager/3-0/tanzu-ops-manager/security-pcf-infrastructure-rotate-configurable-certs.html"
  },

Log into credhub and run the below commands to see if there are any old versions that may match. You can use any online certificate decoder to verify.

credhub get -n /services/tls_leaf --versions=10

credhub get -n /services/tls_ca --versions=10

No results? Try exporting the entire credhub store and grepping for the certificate. This will confirm if the cert is in use or signing any others.

credhub export > store.yaml