A few certificates were configured in TAS tile->System Logging->TLS encryption->CA certificate field, and one of them is expiring as seen from the Ops Manager banner alert.  However, there is not much information available as to the way of renewing the particular certificate or if it is still needed.  It was not clear if the certificate can be removed safely.

VMware Tanzu Application Service

The expiring certificate in question is not a CA certificate and should not have been included in the settings in the first place.

Retrieve the useful information from the cert in question.  From the Ops Manager support bundle, review the file "certificates/all_certificates.json" by finding all the certs with property_reference of ".properties.syslog_tls.enabled.tls_ca_cert".  From the filtered list, find the one with the earliest date value in "valid_until" field.

e.g.,

  {
    "is_ca": false,
    "property_reference": ".properties.syslog_tls.enabled.tls_ca_cert[2]",
    "property_type": "ca_certificate",
    "product_guid": "cf-xxx",
    "configurable": true,
    "issuer": "/C=US/O=Example Inc/CN=Example Inc CA",
    "valid_from": "2025-01-31T00:00:00Z",
    "valid_until": "2026-01-30T23:59:59Z",
    "location": "ops_manager",
    "variable_path": null,
    "rotation_procedure_name": "Standard Configurable Leaf Procedure",
    "rotation_procedure_url": "https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-configurable-certs.html"
  },

Given the above cert info, the valid_until value would tell if this is the cert that is expiring soon.  The output also shows that "is_ca" is false, which indicates that this cert is not a CA cert.

Retrieve the certificate PEM data.  Copy the value from TAS tile settings->System Logging->TLS encryption->CA certificate field.  If there are multiple certs in this field, they will be stacked.  These PEM data can also be retrieved from the Ops Manager Support Bundle, particularly in the CF manifest (deployed_manifest_and_configs/cf-xxx/manifest_last_successful_yyyymmddhhmmss.yml), in syslog_forwarder job properties (.syslog.ca_cert).  Save each cert PEM into a unique file.  Then, for each file, run the following openssl command to get more information:

openssl x509 -in cert-1.crt -text -noout
Certificate:
    Data:
        Version: 4 (0x3)
        Serial Number:
            xx:yy:zz
...
        Issuer: C = US, O = Example Inc, CN = Example Inc CA
        Validity
            Not Before: Jan 31 00:00:00 2025 GMT
            Not After : Jan 30 23:59:59 2026 GMT
        Subject: C = US, ST = State, L = Location, O = Org, CN = syslog.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
...
            X509v3 Subject Alternative Name:
                DNS:syslog1.example.com
...
            X509v3 Basic Constraints: critical
                CA:FALSE
...

From the output, look for CA setting.  In the example above, CA is False, hence it is not a CA cert.

The TAS tile settings->System Logging->TLS encryption->CA certificate field should only contain the CA cert needed to validate the server cert used by the remote syslog instance.  If it's not the CA cert for the remote syslog instance, then it can be safely removed from the setting.

Once the cert in question has been removed, run Apply Changes.