XCO is shipped with a self-signed certificate that is generated during installation. It is signed by the XCO Intermediate CA certificate. This certificate is used on the following ports:
You can replace server certificate with a third-party certificate acquired through trusted CAs (for example, Verisign or GoDaddy). The third-party certificate must be present in the host device that is running XCO. You can then install it with the following command:
$ efa certificate server --help
Install certificates for EFA
Usage:
efa certificate server [flags]
efa certificate server [command]
Available Commands:
renew Renew certificates for EFA
Flags:
--certificate string Certificate for EFA
--key string Key File for the certificate
--cacert string CA Certificate File
Example:
$ efa certificate server --certificate=my_server.pem --key=my_server.key --cacert=ca-chain.pem Please wait as the certificates are being installed... Certificates were installed! --- Time Elapsed: 30.946303683s ---
Note
To upload third-party certificates for HTTPS server on SLX, use the following CLI command. This works only to install certificates on a single device at once.
(efa:extreme)extreme@tpvm:/apps/test/certs$ efa certificate device install --ip=10.x.x.x --cert-type https --https-certificate server.crt --https-key my_server.key WARNING: This will restart the HTTP service on the devices and services will not be able to connect till the operation is complete. Do you want to proceed [y/n]? y +--------------+---------+ | IP Address | Status | | 10.20.61.171 | Success | +--------------+---------+ --- Time Elapsed: 38.516844258s ---
slx-171# show crypto ca certificates Certificate Type: https; Trustpoint: none certificate: SHA1 Fingerprint=D8:49:5F:12:AC:FE:BB:CB:95:C2:AC:6B:AF:B6:5B:9E:24:66:59:7D Subject: CN=10.x.x.x/subjectAltName=IP=10.20.61.171 Issuer: C=US, O=xyz, OU=abcd, CN=INTERIM-CN Not Before: Feb 10 11:23:36 2022 GMT Not After : Jun 25 11:23:36 2023 GMT
XCO utilizes the third-party certificates for northbound access. Prior to XCO 3.2.0, when you run any upgrade or node-replacement procedure, the third-party certificate is replaced with the default certificates of XCO.
It retains the certificates that you have installed during any deployment activities.
In case of any issues while installing the third-party certificates, it will revert back to use the default certificates that are shipped with XCO. The validity of the third-party certificates is verified during XCO upgrade and initial upload of the third-party certificates.
The certificate is valid for 3 years from the date of installation. It is regenerated whenever a new multiaccess subinterface is created or deleted from XCO.
Legacy notification is sent to the user if the certificate is going to expire in 30 days. If you do not renew the certificates within 7 days of expiry, a following warning message is displayed on every login to the XCO CLI.
(efa:extreme)extreme@tpvm:/apps/test/certs$ efa login Password: Login successful. Warning: The certificate for 'EFA' will expire on '2022-04-08 14:43:43 +0530 IST'. --- Time Elapsed: 5.532391719s ---XCO server certificate supports the following alerts which effects the health of XCO security subsystem.
For more information, see Fault Management - Alerts.
To renew the server certificate, use the following command:
(efa:extreme)extreme@tpvm:/apps$ efa certificate server renew Certificate renewal is successful --- Time Elapsed: 33.516064167s ---
Note
CertificateRenewalAlert is raised which changes the health of
the system to green.