Pivotal Knowledge Base


How to Regenerate Expired SAML CERT via Ops Manager


  • Pivotal Operations Manager versions 1.7.x, 1.8.x, and 1.9.x
  • Pivotal Cloud Foundry


By default Operations Manager will generate an SSL certificate signed by the Bosh director root authority with a 2-year lease used for SAML integration with Pivotal Elastic Runtime.

This article provides a method for regenerating a new SAML certificate before or after expiration.


  • UAAC client needs be installed
    gem install cf-uaac
  • Must be able to access Operations Manager web and CLI interface
  • Optionally to help follow the procedure you can replace and set the following environment variable if using a bash terminal
    • Hostname or IP address of Operations Manager
      export OPSMANWEB="operations.manager.domain.com"


  1. Open a terminal and run the following UAAC commands to acquire an access token.
    1. Target Operations Manager UAA endpoint
      uaac target https://${OPSMANWEB}/uaa
    2. If Operations Manager is not integrated with SAML then proceed with this step
      uaac token owner get
      Client ID: opsman
      Client secret: <Leave Blank>
      User name: <Username to log into OpsManager>
      Password: <Password to log into OpsManager>
    3. If Operations Manager is integrated with SAML, then proceed with this step and acquire a passcode from https://${OPSMANWEB}/uaa/passcode endpoint
      uaac token sso get
      Client ID: opsman
      Client secret: <Leave Blank>
      Passcode: <paste from /uaa/passcode endpoint>
  2. Now that we have successfully obtained an access token we need to put it into an environment variable for easy access
    1. Run this command to print your access token
      # uaac context
            access_token: .....
            token_type: bearer
            expires_in: 43199
            scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
            jti: ....
    2. Export the access token into variable
      export ACCESS_TOKEN="contents of access_token from uaac context"
  3. Download installation settings from ops manager into a file
    curl -k "https://${OPSMANWEB}/api/installation_settings" -X GET -H "Authorization: Bearer ${ACCESS_TOKEN}" | python -m json.tool > installation_settings.json
  4. Duplicate installation_settings.json, so we have a backup in case an error is there
    cp installation_settings.json installation_settings.json.backup
  5. Open installation_settings.json and locate key "service_provider_key_credentials" then replace contents of "cert_pem" and "private_key_pem" with keyword "null"
                                "identifier": "service_provider_key_credentials",
                                "value": {
                                    "cert_pem": null,
                                    "private_key_pem": null
  6. Upload the updated installation_settings.json to Operations Manager
    # curl -k "https://${OPSMANWEB}/api/installation_settings" -X POST -H "Authorization: Bearer ${ACCESS_TOKEN}" -F installation[file]=@installation_settings.json; echo
    Example of success result:
  7. Go to Operations Manager using a web browser and confirm there are pending changes for the Elastic Runtime tile.
  8. Click Apply Changes.
  9. Once changes are committed the new SAML metadata file can be downloaded from endpoint "https://<uaa identity login>.<system domain>/saml/metadata". Then follow the steps from your SAML Identity Provider to replace Service Provider Certificate with the new Certificate.


Powered by Zendesk