The following tables provide information about EFA certificates and external certificates.
Certificate | Location in TPVM deployment | Location in server deployment | Description | Default Validity Period | Impact on the system | Renewal Procedure | Alarm/Notification |
---|---|---|---|---|---|---|---|
SSL/TLS Certificate of EFA | /apps/efadata/certs/own/tls.crt | /opt/efadata/certs/own/tls.crt | The certificate of EFA server for secure communication with the clients. The same certificate is used on port 443 (default EFA), 8078 (monitor service of EFA), 6514 (syslog listener on EFA) | Until EFA 2.7.0 - Expires in 1 year from installation. From EFA 2.7.2 - Expires in 3 years from installation. Reset after every subinterface creation/upgrade |
If the certificate expires, then the server communication with SSL verification enabled will fail. Disables syslog messages from the devices | https://extremeportal.force.com/ExtrArticleDetail?an=000102994https://extremeportal.force.com/ExtrArticleDetail?an=000104838 | 2.7.x: Notification is sent to EFA subscribers from 30 days to expiry and warning message on every login from 7 days to expiry. |
Intermediate CA Certificate of EFA | /apps/efadata/certs/ca/extreme-ca-cert.pem | /opt/efadata/certs/ca/extreme-ca-cert.pem | The certificate of Certificate Authority, which is the issuer of client and server certificates of EFA and HTTPS certificate of SLX. Same certificate is seen as SyslogCA on SLX | Valid till Feb 17 2030 GMT | Not available | Not available | |
Root CA Certificate of EFA | /apps/efadata/certs/ca/extreme-ca-root.pem | /opt/efadata/certs/ca/extreme-ca-root.pem | The certificate of Certificate Authority, which is the issuer of Intermediate CA certificate | Valid till Feb 15 2040 GMT | Not available | Not available | |
HTTPS Certificate of SLX | /apps/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem | /opt/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem | The certificate of SLX Web Server (Apache) for secure communication with the device from EFA | Expires in 2 years from installation | System will not use encryption for HTTPS requests | Not available | From 2.4.x: Notification is sent to EFA subscribers from 30 days of expiry. |
K3s Certificate - EFA internal | /apps/rancher/k3s/server/tls/ | /var/lib/rancher/k3s/server/tls/ | EFA uses k3s for management of services. This certificate is for secure communication of k3s with clients | Expires in 1 year from installation. Reset after every upgrade of EFA | https://extremeportal.force.com/ExtrArticleDetail?an=000102994 | Not available | |
Host Authentication Service Certificate - EFA internal | /apps/bin/hostauth-certs/cert.pem | /usr/local/bin/hostauth-certs/cert.pem | The server certificate of host authentication service on EFA | Until EFA 2.7.0 - Expires in 3 years from the date of release.
From EFA 2.7.2 - Expires in 10 years from the date of release |
System will not use encryption for HTTPS requests | Refreshed on upgrade of EFA to next release | Not available |
JWT Signing/Verification - EFA internal | /apps/efadata/certs/cert.crt.pem | /opt/efadata/certs/cert.crt.pem | The RSA public key for JWT verification. This is also used to send user context from EFA to SLX. Same certifcate is seen as Oauth certificate on SLX | Expires in 10 years from the date of installation | Disables login to EFA | Not available | Not available |
Certificate | Location in TPVM deployment | Location in server deployment | Description |
---|---|---|---|
Syslog CA | Notification service database in mariadb | Notification service database in mariadb | Connect to external Syslog server for sending notifications over RELP. |
Webhook CA | Notification service database in mariadb | Notification service database in mariadb | Connect to external Syslog server for sending notifications over webhooks. |
LDAP CA | Auth service database in mariadb | Auth service database in mariadb | Connect to external LDAP server |