After upgrading TAS, Apps running on Tanzu platform for cloud foundry (TPCF) started to get into crashed state with the below error. 

[STG/0] [ERR] Unable to interpolate credhub refs: Unable to set up credhub client: provided ca certs are invalid

Tanzu Platform for Cloud Foundry (TPCF)

Credhub is failing to validate certs which has been added in "Trusted Certificates" under "BOSH Director for vSphere >> Security".

There are particular certificates which are not valid according to RFC.

Example:-

There could be scenarios where validation might fail on certs due to the "Authority Key Identifier" parameter marked as "critical" for one of the cert.

So inside credhub, golang parser which validates the "Authority Key Identifier" should not be marked as "critical" as per RFC 5280, Section 4.2.1.1:

Conforming CAs MUST mark this extension as non-critical.

Remove all external certificates from "Trusted Certificates" under "BOSH Director for vSphere tile >> Security" which are not valid according to RFC 5280 and replace it with valid certs.

Note: If one is not able to identify the invalid certs applied under "BOSH Director for vSphere >> Security" they could raise a service request to Tanzu support on Broadcom support portal.