Generate Dynamic CA Certificates

About this task

EFA is shipped with CA certificates that are used for generating server certificates.

The Root CA expires in 2040 and the Intermediate CA expires in 2030. These CA certificates are same across all EFA installations. The CA certificates are generated during each installation making it unique per deployment.

The CA certificates have the following expiry set:

  • Intermediate CA certificate – 10 years from the date of installation.
  • Root CA certificate – 20 years from the date of installation.

During an upgrade, the old certificates are retained, and cannot be regenerated.

The CA certificates are used to:

  • Generate server certificate of EFA
  • Generate HTTPS certificate of SLX
  • Connect from Syslog server of SLX

Procedure

Regenerate the CA certificate using the following API for each device: 
extreme@tpvm:~$ openssl x509 -in /apps/efadata/certs/ca/extreme-ca-root.pem -noout -enddate

notAfter=Jun 20 22:19:26 2042 GMT

extreme@tpvm:~$ openssl x509 -in /apps/efadata/certs/ca/extreme-ca-intermediate.pem -noout -enddate

notAfter=Jun 20 22:20:20 2032 GMT
Note

Note

SLX supports a single Syslog CA certificate. Therefore, only one EFA installation can register a device as the CA will be different.

9037502-00 Rev AA