While following the procedure on rotating the Ops Manager Root CA, specifically upon running the curl command with a DELETE request method in the "Step 5: Delete the old CAs" step, the following safety violation is encountered:

{"certificates":{"updated":[],"excluded":[],"update_failed":[]},"safety_violations":[{"violation":"active child certificate is signed by a certificate authority that is not the latest version","certificate_names":["cf-5555: .uaa.service_provider_key_credentials"]}],"errors":["There are leaf certificates that are still signed by the inactive CA that is being deleted"]}

VMware Tanzu Platform

The configurable certificate named ".uaa.service_provider_key_credentials" was signed by the old CA cert that was attempted to be deleted.  This cert was not rotated yet using the new Ops Manager Root CA.

1. Go to Ops Manager -> TAS tile Settings -> UAA.
2. In the field "SAML service provider certificate and private key", click the "Change" link.
3. Click the "Generate RSA Certificate".
4. Add the appropriate Domain Names for your environment.
5. Click "Generate".
6. Save and Apply Changes.
7. After Apply Changes completes, then try the deletion of the old CA again and resume the procedure to rotate the Ops Manager Root CA.