A “Rotate All Non-Configurable Leaf Certificates” checkbox has been introduced in the Ops Manager UI.

This option provides the same functionality as the API and maestro command methods documented in Rotating non-configurable leaf certificates in Tanzu Operations Manager.

This article addresses the following question:
Is it required to select the “Rotate All Non-Configurable Leaf Certificates” checkbox in the Ops Manager UI again if the first Apply Change attempt fails?

Question: Is it required to select the “Rotate All Non-Configurable Leaf Certificates” checkbox in the Ops Manager UI again if the first Apply Change attempt fails?

No, it is not required.

Once you select “Rotate All Non-Configurable Leaf Certificates” and perform Apply Change, a new set of non-configurable certificates is generated, even if the Apply Change process fails afterward.

You can confirm this by generating a support bundle. In the downloaded support bundle, you should be able to verify that the "maestro regenerate leaf --all" command has already been executed:

$ cat ~/Downloads/support_bundle/var/log/opsmanager/production.log | grep regenerate
I, [2026-05-20T01:21:41.556901 #1013]  INFO -- : MaestroExecutor start cmd=/usr/local/bin/maestro --json regenerate leaf --all --show-excluded; pwd=/home/tempest-web/tempest/web
I, [2026-05-20T01:21:43.685780 #1013]  INFO -- : MaestroExecutor stop cmd=/usr/local/bin/maestro --json regenerate leaf --all --show-excluded; pwd=/home/tempest-web/tempest/web; exit_code=0

If you see from support bundle logs that maestro regenerate leaf has been executed successfully and after correcting the issue that caused the first Apply Change attempt to fail, you do not need to select the “Rotate All Non-Configurable Leaf Certificates” checkbox again.

Please leave the checkbox unchecked and run Apply Change again to complete the certificate rotation process.