XCO Root CA

XCO is shipped with Root CA that is used to generate Intermediate CA. The Root CA is unique across each XCO and is generated during installation.

Location

TPVM: /apps/efadata/certs/ca/extreme-ca-root.pem
Server: /opt/efadata/certs/own/extreme-ca-root.pem

Expiry and Alerts

The XCO Root CA is valid for 20 years from the date of installation. It supports the following alerts which effects the health of XCO security subsystem:

CertificateExpiryNoticeAlert
CertificateExpiredAlert
CertificateUnreadableAlert

For more information, see Fault Management - Alerts.

Renewal

You can renew or regenerate the root CA by using either script or command.

To renew or regenerate the Root CA, run the renewal script efa_renew_certs.sh.

sudo bash <path to the script>/efa_renew_certs.sh --type rootca

To renew or regenerate the Root CA, run the efa certificate server renew command.

efa certificate server renew --cert-type

Note

In TPVM, the renewal script and command are available in the /apps/efa/ and /opt/efa/ directory of a server.

After the Root CA is updated,

New Intermediate CA is generated
New XCO Server Certificate is generated. If a third-party certificate is used, then the server certificate generation is skipped.

On renewal of certificate, a CertificateRenewalAlert is raised which changes the health of the system to green.