This topic describes about the third-party certificates for RASlog service (syslog from SLX).
EFA is shipped with default certificates. These are self-signed and the same certificates are used for listening to the syslog messages received from SLX.
$ efa inventory device register --ip=10.x.x.x --username=admin --password=password +----+-------------+-----------+-------+--------------+----------+---------+--------+ | ID | IP Address | Host Name | Model | Chassis Name | Firmware | Status | Reason | +----+-------------+-----------+-------+--------------+----------+---------+--------+ | 1 | 10.x.x.x | SLX | 3012 | SLX9250-32C | 20.2.3d | Success | | +----+-------------+-----------+-------+--------------+----------+---------+--------+ Device Details --- Time Elapsed: 1m6.570042048s ---
The syslog certificate on the device is the default CA the EFA contains.
SLX# show crypto ca certificates syslog CA certificate(Server authentication): SHA1 Fingerprint=A3:E8:F6:CB:46:F6:43:C5:D1:90:1F:A7:C6:58:93:29:77:6F:2F:8E Subject: C=US, ST=CA, O=Extreme Networks, OU=Extreme Fabric Automation Intermediate, CN=EFA Intermediate CA/emailAddress=support@extremenetworks.com Issuer: C=US, ST=CA, L=SJ, O=Extreme Networks, OU=Extreme Fabric Automation, CN=efa.extremenetworks.com/emailAddress=support@extremenetworks.com Not Before: Feb 20 22:25:26 2020 GMT Not After : Feb 17 22:25:26 2030 GMT
The enhancement updates RASlog service to use the custom certificates that EFA servers use. The certificate CLI on EFA contains new parameter, which enables you to upload CA.
$ efa certificate server --certificate=my_server_162.pem --key=my_server_162.key --cacert=ca-chain.pem Please wait as the certificates are being installed... Certificates were installed! --- Time Elapsed: 30.946303683s ---
If there are already registered devices, then the syslog certificate is updated on these devices.
SLX# show crypto ca certificates syslog CA certificate(Server authentication): SHA1 Fingerprint=32:70:EB:91:F4:6D:9C:9F:6E:35:E0:00:20:B8:1A:FF:AF:BA:0D:8A Subject: C=US, O=xyz, OU=abcd, CN=INTERIM-CN Issuer: C=US, O=xzy, OU=abcd, CN=ROOT-CN Not Before: Feb 15 14:56:08 2022 GMT Not After : Nov 11 14:56:08 2024 GMT
If you do not provide any CA certificate, the default certificates of EFA are used.