K3s Server Certificate

EFA uses K3s for management of microservices which comes up with its own certificates.


Expiry and Alerts

The certificate is valid till one year from the date of installation which is reset on every upgrade. It supports the following alerts which effects the health of EFA security subsystem:

For more information, see Fault Management.


You can perform the renewal of K3s Server certificate only when:

To renew or regenerate the K3S server certificate, use the renewal script efa_k3s_renew_certs.sh.



In TPVM, the renewal script is available in /apps/efa/ and /opt/efa/ on a server installation.
sudo bash <path to the script>/efa_k3s_renew_certs.sh --type server

On renewal of the certificate, CertificateRenewalAlert is raised which changes the health of the system to green.