Following   Set a Custom CA Certificate from https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-rabbitmq-tanzu-platform/10-0/rabbitmq-tp/prepare-tls.html#set-custom-cert procedure in order to  successfully connect to the RMQ and other services using python and other languages the TLS validation process requires additional key usage flag to be included in the CA certificate.

This process outlines the steps required to  generate such a certificate with Credhub and maestro and following the best practises for certificate rotation. 

EAR 10.x

RMQ Tile 10.x

MYSQL 

Other tiles using "/services/tls_ca"

Manual certificate creation in credhub leads to some inconsistencies and further problems when follow up maestro certificate rotation process is used, therefore this process have been created to help mitigate the new requirements while in long term this problem is addressed in future versions of EAR

Requirements: maestro topology should have valid certificate and chain in place, here is example of starting point status CA certificate is signing: true and generated: true and leaf certificate uses the latest version.

maestro tp --name /services/tls_ca
topology:
    - name: /services/tls_ca
      certificate_id: 260957b7-xxxx-xxxx-xxxx-342a4ca00248
      signed_by: /services/tls_ca
      versions:
        - version_id: dff886c8-xxxx-xxxx-xxxx-485346183027
          signing: true
          certificate_authority: true
          generated: true
          valid_until: 2031-04-14T22:05:28Z
      signs:
        - name: /p-bosh/pivotal-mysql-0xxxxxxxxxxxxca/services_tls_accessor_cert
          certificate_id: 4719ce6e-xxxx-xxxx-xxxx-c31af4077fb4
          signed_by: /services/tls_ca
          versions:
            - version_id: 2a3a2d6d-xxxx-xxxx-xxxx-7d76f1fdbf80
              active: true
              signed_by_version: dff886c8-xxxx-xxxx-xxxx-485346183027
              deployment_names:
                - pivotal-mysql-0xxxxxxxxxxxxca
              generated: true
              valid_until: 2031-04-14T22:04:21Z

Step 1 Create a new Certificate with option key-usage also duration can be changed based on the requirements:

credhub generate \
--name="/services/tls_ca" \
--type="certificate" \
--is-ca \
--common-name="opsmgr-services-tls-ca" \
--duration=1825 \
--key-usage key_cert_sign

Step 2 Mark it as transitional:

CERT_ID=$(credhub curl -p /api/v1/certificates?name=%2Fservices%2Ftls_ca | jq -r '.certificates[0].id')
NEW_VERSION_ID=$(credhub curl -p /api/v1/certificates/$CERT_ID/versions | jq -r 'sort_by(.version_created_at) | last | .id')
credhub curl -p /api/v1/certificates/$CERT_ID/update_transitional_version -X PUT -d '{"version": "'$NEW_VERSION_ID'"}'

Step 3 Add the new certificate into the trusted Certificates and Apply change on all tiles using the service and upgrade instances so new certificate be populated.

To add the CA Certificate to Ops Manager:

Record the CA certificate by running:

credhub get \
  --name=/services/tls_ca \
  -k ca
Go to Tanzu Ops Manager Installation Dashboard > BOSH Director > Security.

Append the contents of the CA certificate you recorded in an earlier step into Trusted Certificates.

Click Save.

         Apply change

Step 4 Update transitional and regenerate leafs

maestro update-transitional signing --name /services/tls_ca

maestro regenerate leaf --signed-by /services/tls_ca

Step 5 Apply change on all tiles using the service and upgrade instances so new certificate be populated.

Step 6 Remove transitional flag:

maestro update-transitional remove --name /services/tls_ca

Step 7 Apply change on all tiles using the service and upgrade instances so new certificate be populated.

Optional: Step 8 Clean up the olds certs from the credhub database:

maestro gc ca --all
deleted:

name: /services/tls_ca
certificate_id: 260957b7-xxxx-xxxx-xxxx-342a4ca00248
version_ids:
dff886c8-xxxx-xxxx-xxxx-485346183027

maestro gc leaf --all

In the process Apply change have to include all Tiles that are using the certificate like Mysql RabbitMQ EAR, Adding the new CA into the trusted Certificates is optional however if there are processes that might use the certificate it might make the process smoother with less interruptions.

It is important to note the initial status of the certificates and in case you notice that the certificates are not in the expected state order please reach out to support for assistance.