Running a full rotation of all leaf certificates on a foundation that includes TKGI can be risky and may result in downtime.
The public documentation includes the following warning:

Warning: Never use the CredHub Maestro maestro regenerate ca/leaf –all command to rotate TKGI certificates.

On the Review Pending Changes page of the Ops Manager UI, the Rotate All Non-Configurable Leaf Certificates button provides a built-in way to handle rotations. This button automatically executes the same API-driven sequence documented for TKGI environments, ensuring a safe, supported transition while applying your changes.

Foundation Core 3.1 

TKGi 1.2x 

Only the leaf certificates located in opsmanager and the bosh_dns leaf certificates, in credhub, are rotated with this automated procedure. None of the TKGi cluster certificates are rotated.

Here is a list of the certificates rotated by this procedure:

- All leaf certificates under .properties.root_ca are rotated 
Except:
.pivotal-container-service.pks_tls
.properties.server_cert_key

- All leaf certificates under .properties.nats_client_ca are rotated

- All leaf certificates under /opsmgr/bosh_dns/tls_ca 
Except:
/opsmgr/bosh_dns/san_migrated