EFA requires certificates for the northbound interface and certificates for devices.
$ efa certificates server –-certificate <cert-filename> --key <key-filename> [ --configfile <config-filename ]
The EFA_INSTALL_DIR
environment variable specifies where the EFA configuration file can be found. The
optional configuration file can be used to specify a different file than the
efa.conf
file used by EFA for its settings.
Important
If you install your own server certificate to use with the EFA HTTPS server, remember to reinstall the certificate when you upgrade EFA.For a multi-node deployment, EFA uses the common name (CN) of the virtual IP address and a Subject Alternate Name containing the virtual IP address and the node IP addresses.
Subject: CN=efa.extremenetworks.com …… X509v3 Subject Alternative Name: DNS:efa.extremenetworks.com, IP Address:127.0.0.1, IP Address:10.24.15.173
Subject: CN=efa.extremenetworks.com …… X509v3 Subject Alternative Name: DNS:efa.extremenetworks.com, IP Address:127.0.0.1, IP Address:10.24.15.178, IP Address:10.24.15.174, IP Address:10.24.15.253
The HTTPS server certificate from EFA is presented to a client when that client connects to its northbound interface.
You can use the efa inventory device list command to verify the status of the certificates on the device. If the Cert/Key Saved column contains "N," then certificates are not installed.
You can use the efa certificates device install --ips <ip-adddr> certType [ http|token] command to install the HTTPS or OAuth2 certificate on one or more devices.
Issue | Resolution |
---|---|
My device is registered but the certificates do not appear on the SLX device. | Try the following:
|
How do I verify the certificate provided by EFA through its ingress interface? | Run the following command. The output should indicate that
efa.extremenetworks.com is present.
|