Northbound Interface Certificates

The certificate is bundled with EFA and signed by the private Certificate Authority (CA) Chain. So that the certificate can be replaced with a third-party certificate acquired through trusted CAs (such as Verisign or GoDaddy), the certificate must be present in the host device that is running EFA. You can then install it with the following command:

$ efa certificates server –-certificate <cert-filename> --key <key-filename> --cacert cert-filename

Important

If you install your own server certificate to use with the EFA HTTPS server, remember to reinstall the certificate when you upgrade EFA.
Generate the third-party certificates and keys without a passphrase. Certificate installation may fail if you generate the third-party certificates and keys with passphrase.

Communication with third-party certificates in an EFA installation is enabled on the following ports:

443: Secure installation of EFA
8078: Monitoring service of EFA

For information about third-party certificates in a multiple management IP network, see Configuration Supporting Multiple Management IP Networks.

For a multi-node deployment, EFA uses the common name (CN) of the virtual IP address and a Subject Alternate Name containing the virtual IP address and the node IP addresses.

Example for a single-node deployment:

Subject: CN=efa.extremenetworks.com 
         …… 
            X509v3 Subject Alternative Name:  
                DNS:efa.extremenetworks.com, IP Address:127.0.0.1, 
IP Address:10.24.15.173

Example for a multi-node deployment:

  Subject: CN=efa.extremenetworks.com 
         …… 
            X509v3 Subject Alternative Name:
                DNS:efa.extremenetworks.com, IP Address:127.0.0.1, IP Address:10.24.15.178, 
IP Address:10.24.15.174, IP Address:10.24.15.253