When you register a device in EFA, a new certificate is generated for the HTTPS server of SLX device. The certificate is generated with the default CA that EFA contains.
Following is an example of a certificate on SLX after device registration:
slx-171# show crypto ca certificates Certificate Type: https; Trustpoint: none certificate: SHA1 Fingerprint=C1:F1:2C:BF:1A:47:7B:46:5D:8F:18:99:0E:58:CF:31:8C:58:5F:CC Subject: CN=slx-10.x.x.x.extremenetworks.com Issuer: C=US, ST=CA, O=Extreme Networks, OU=Extreme Fabric Automation Intermediate, CN=EFA Intermediate CA/emailAddress=support@extremenetworks.com Not Before: Jan 10 11:12:18 2022 GMT Not After : Jan 10 11:12:18 2024 GMT
To use third-party certificates for HTTPS server on SLX, the CLI command of certificates on the EFA is extended. You need new certificate and key to install on the device. You can use the CLI command only to install certificates on a single device at once.
(efa:extreme)extreme@tpvm:/apps/test/certs$ efa certificate device install --ip=10.x.x.x
--cert-type https --https-certificate server.crt --https-key
my_server.key
WARNING: This will restart the HTTP service on the devices and services will not be able to connect
till the operation is complete. Do you want to proceed [y/n]?
y
+--------------+---------+
| IP Address | Status |
| 10.20.61.171 | Success |
+--------------+---------+
--- Time Elapsed: 38.516844258s ---
The device must have the new certificates uploaded:
slx-171# show crypto ca certificates Certificate Type: https; Trustpoint: none certificate: SHA1 Fingerprint=D8:49:5F:12:AC:FE:BB:CB:95:C2:AC:6B:AF:B6:5B:9E:24:66:59:7D Subject: CN=10.x.x.x/subjectAltName=IP=10.20.61.171 Issuer: C=US, O=xyz, OU=abcd, CN=INTERIM-CN Not Before: Feb 10 11:23:36 2022 GMT Not After : Jun 25 11:23:36 2023 GMT