EFA Certificate Management

The HTTPS server certificate from EFA is presented to a client when that client connects to its northbound interface.

Overview

The certificate is bundled with EFA and signed by the private Certificate Authority (CA) Chain. So that the certificate can be replaced with a third-party certificate acquired through trusted CAs (such as Verisign or GoDaddy), the certificate must be present in the host device that is running EFA. You can then install it with the following command:
$ efa certificates server –-certificate <cert-filename> 
--key <key-filename> [ --configfile  <config-filename ]

The EFA_INSTALL_DIR environment variable specifies where the EFA configuration file can be found. The optional configuration file can be used to specify a different file than the efa.conf file used by EFA for its settings.

Important

Important

If you install your own server certificate to use with the EFA HTTPS server, remember to reinstall the certificate when you upgrade EFA.

Multi-node implications

For a multi-node deployment, EFA uses the common name (CN) of the virtual IP address and a Subject Alternate Name containing the virtual IP address and the node IP addresses.

Device configuration and certificates

During the registration of an SLX device in EFA, the following configuration changes are made on the device.
  • The public certificate for verifying an EFA token is copied to the device as an OAuth2 certificate.
  • EFA generates the HTTPS certificate for the SLX device. The certificate is copied to the device, HTTP mode is disabled on the device, and HTTPS is enabled on the device.
  • OAuth2 is enabled as the primary mode of authentication. Fallback is set to "local login."

You can use the efa inventory device list command to verify the status of the certificates on the device. If the Cert/Key Saved column contains "N," then certificates are not installed.

You can use the efa certificates device install --ips <ip-adddr> certType [ http|token] command to install the HTTPS or OAuth2 certificate on one or more devices.

Sample certificate contents

Example for a single-node deployment:
Subject: CN=efa.extremenetworks.com 
         …… 
            X509v3 Subject Alternative Name:  
                DNS:efa.extremenetworks.com, IP Address:127.0.0.1, 
IP Address:10.24.15.173
Example for a two-node deployment:
  Subject: CN=efa.extremenetworks.com 
         …… 
            X509v3 Subject Alternative Name:
                DNS:efa.extremenetworks.com, IP Address:127.0.0.1, IP Address:10.24.15.178, 
IP Address:10.24.15.174, IP Address:10.24.15.253

Certificate troubleshooting

Issue Resolution
My device is registered but the certificates do not appear on the SLX device. Try the following:
  • Ensure that the device is running at least SLX-OS 20.1.x.
  • Ensure that the time on the SLX device and the time on the EFA host device are synchronized.
  • Ensure that the certificates are installed. Run the efa certificates device install command.
How do I check the certificate provided by EFA through its ingress interface? Run the following command. The output should indicate that efa.extremenetworks.com is present.

$ openssl s_client -connect <EFA_IP_ADDR>:443

9036767-00 Rev AB