Attempting to regenerate a certificate results in errors such as "latest certificate authority versions with active children are not signing".

Running the command shows a deployment "bosh-health" in the certificate topology

Healthwatch can result in a scenario where the newly created test deployment consumes new certificate versions while other deployments have the old. This discrepancy can result in safety violations to the maestro commands used by Ops Manager in certificate rotation operations.

The solution is to temporarily stop healthwatch from creating bosh-health test deployment.

This can be done by SSH'ing to bosh-health-exporter VM and temporarily stopping the bosh-health-exporter process.

bosh -d p-healthwatch2-pas-exporter-####### ssh bosh-health-exporter/0

monit stop bosh-health-exporter

If healthwatch v1 is installed then you may also need to stop the bosh-health-exporter app temporarily in healthwatch space (the older HW version uses an app instead of bosh VM for this purpose).

Re-run the "maestro tp --name <certificate name>" and you should see the "bosh-health" deployment disappear soon after deployment gets cleaned up. Once it is gone then you can proceed with your certificate regenerate operation.

Once certificate maintenance has been complete then remember to turn back on bosh-health-exporter process. 

monit start bosh-health-exporter