The following tables provide information about EFA certificates.
| Certificate | Location in TPVM deployment | Location in server deployment | Description | Default Validity Period | Impact on the system | Renewal Procedure | Alarm/Notification |
|---|---|---|---|---|---|---|---|
| SSL/TLS Certificate of EFA | /apps/efadata/certs/own/tls.crt | /opt/efadata/certs/own/tls.crt | The certificate of EFA server for secure communication with the clients. The same certificate is used on port 443 (default EFA), 8078 (monitor service of EFA), 6514 (syslog listener on EFA) | Until EFA 2.7.0 - Expires in 1 year from installation. From EFA 2.7.2 - Expires in 3 years from installation. Reset after every subinterface creation/upgrade |
If the certificate expires, then the server communication with SSL verification enabled will fail. Disables syslog messages from the devices | Follow procedure 2 in the Extreme Knowledge Base article. | 2.7.x: Notification is sent to EFA subscribers from 30 days to expiry and warning message on every login from 7 days to expiry. |
| Intermediate CA Certificate of EFA | /apps/efadata/certs/ca/extreme-ca-cert.pem | /opt/efadata/certs/ca/extreme-ca-cert.pem | The certificate of Certificate Authority, which is the issuer of client and server certificates of EFA and HTTPS certificate of SLX. Same certificate is seen as SyslogCA on SLX | Expires in 10 years from the date of installation | Renew or Regenerate CA Certificate | Not available | |
| Root CA Certificate of EFA | /apps/efadata/certs/ca/extreme-ca-root.pem | /opt/efadata/certs/ca/extreme-ca-root.pem | The certificate of Certificate Authority, which is the issuer of Intermediate CA certificate | Expires in 20 years from the date of installation | Renew or Regenerate CA Certificate | Not available | |
| HTTPS Certificate of SLX | /apps/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem | /opt/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem | The certificate of SLX Web Server (Apache) for secure communication with the device from EFA | Expires in 2 years from installation | System will not use encryption for HTTPS requests | Renew HTTPS Certificates for SLX | From 2.4.x: Notification is sent to EFA subscribers from 30 days of expiry. |
| K3s Certificate - EFA internal | /apps/rancher/k3s/server/tls/ | /var/lib/rancher/k3s/server/tls/ | EFA uses k3s for management of services. This certificate is for secure communication of k3s with clients | Expires in 1 year from installation. Reset after every upgrade of EFA | Follow procedure 2 in the Extreme Knowledge Base article. | Not available | |
| Host Authentication Service Certificate - EFA internal | /apps/bin/hostauth-certs/cert.pem | /usr/local/bin/hostauth-certs/cert.pem | The server certificate of host authentication service on EFA | Until EFA 2.7.0 - Expires in 3 years from the date of release.
From EFA 2.7.2 - Expires in 10 years from the date of release |
System will not use encryption for HTTPS requests | Refreshed on upgrade of EFA to next release | Not available |
| JWT Signing/Verification - EFA internal | /apps/efadata/certs/cert.crt.pem | /opt/efadata/certs/cert.crt.pem | The RSA public key for JWT verification. This is also used to send user context from EFA to SLX. Same certifcate is seen as Oauth certificate on SLX | Expires in 10 years from the date of installation | Disables login to EFA | Regenerate Token Signing Certificate | Not available |