EFA Certificate Management

EFA requires certificates for the northbound interface and certificates for devices.

Northbound interface certificates

The certificate is bundled with EFA and signed by the private Certificate Authority (CA) Chain. So that the certificate can be replaced with a third-party certificate acquired through trusted CAs (such as Verisign or GoDaddy), the certificate must be present in the host device that is running EFA. You can then install it with the following command:
$ efa certificates server –-certificate <cert-filename> 
--key <key-filename> [ --configfile  <config-filename ] 

The EFA_INSTALL_DIR environment variable specifies where the EFA configuration file can be found. The optional configuration file can be used to specify a different file than the efa.conf file used by EFA for its settings.

Important

Important

If you install your own server certificate to use with the EFA HTTPS server, remember to reinstall the certificate when you upgrade EFA.
Communication with third-party certificates in an EFA installation is enabled on the following ports:
  • 443: Secure installation of EFA
  • 8078: Monitoring service of EFA
For information about third-party certificates in a multiple management IP network, see Configuration Supporting Multiple Management IP Networks.

For a multi-node deployment, EFA uses the common name (CN) of the virtual IP address and a Subject Alternate Name containing the virtual IP address and the node IP addresses.

Example for a single-node deployment:
Subject: CN=efa.extremenetworks.com 
         …… 
            X509v3 Subject Alternative Name:  
                DNS:efa.extremenetworks.com, IP Address:127.0.0.1, 
IP Address:10.24.15.173 
Example for a multi-node deployment:
  Subject: CN=efa.extremenetworks.com 
         …… 
            X509v3 Subject Alternative Name:
                DNS:efa.extremenetworks.com, IP Address:127.0.0.1, IP Address:10.24.15.178, 
IP Address:10.24.15.174, IP Address:10.24.15.253

Device certificates

The HTTPS server certificate from EFA is presented to a client when that client connects to its northbound interface.

During the registration of an SLX device in EFA, the following configuration changes are made on the device.
  • The public certificate for verifying an EFA token is copied to the device as an OAuth2 certificate.
  • A syslog certificate is installed on the device.
  • EFA generates the HTTPS certificate for the SLX device. The certificate is copied to the device, HTTP mode is disabled on the device, and HTTPS is enabled on the device.
  • OAuth2 is enabled as the primary mode of authentication. Fallback is set to "local login."
  • Managed devices contain the expiration date of an inventory certificate. If a device certificate is within 30 days of expiration, it pushes an event to the notification using the get certs command.

You can use the efa inventory device list command to verify the status of the certificates on the device. If the Cert/Key Saved column contains "N," then certificates are not installed.

You can use the efa certificates device install --ips <ip-adddr> certType [ http|token] command to install the HTTPS or OAuth2 certificate on one or more devices.

Certificate troubleshooting

Issue Resolution
My device is registered but the certificates do not appear on the SLX device. Try the following:
  • Ensure that the device is running at least SLX-OS 20.1.x.
  • Ensure that the time on the SLX device and the time on the EFA host device are synchronized.
  • Ensure that the certificates are installed. Run the efa certificates device install command.
How do I verify the certificate provided by EFA through its ingress interface? Run the following command. The output should indicate that efa.extremenetworks.com is present.

$ openssl s_client -connect <EFA_IP_ADDR>:443