When the checkbox "Enable automatic rotation of the BOSH DNS CA certificate (experimental)" is enabled in Bosh Director Config tile, it sets a strategy to rotate certificates on next stemcell upgrade. 

Enable automatic rotation of the BOSH DNS CA certificate (experimental)
This will automatically rotate the BOSH DNS CA certificate and associated leaf certificates when stemcell updates are deployed.

The configuration in bosh director manifest will look like below example:

 - name: "/bosh_dns_health_server_tls"
      type: certificate
      update_mode: converge
      options:
        ca: "/opsmgr/bosh_dns/tls_ca"
        common_name: health.bosh-dns
        alternative_names:
        - health.bosh-dns
        extended_key_usage:
        - server_auth
      update:
        strategy: on-stemcell-change

Bosh director with enabled check box "Enable automatic rotation of the BOSH DNS CA certificate (experimental)".

This setting prevents propagation of the bosh-dns certificates to the vms due to the strategy setting. The strategy is configured by default to propagate certificates on next stemcell upgrade.

This feature is experimental.

To make sure certificates do get propagated to the vms, two options are available:

1. Upload a new stemcell and apply it to the relevant deployment in Stemcell Library page of OpsMan UI.

2. Disable the checkbox "Enable automatic rotation of the BOSH DNS CA certificate (experimental)" in Bosh Director tile --> Director Config. Then run Apply Changes on the tiles with Upgrade All Service Instances errand enabled where applicable.