This topic describes the third-party certificates for RASlog service (syslog from SLX).
EFA is shipped with default certificates. These are self-signed and the same certificates are used for listening to the syslog messages received from SLX.
$ efa inventory device register --ip=10.x.x.x --username=admin --password=password +----+------------+-----------+-------+--------------+----------+---------+--------+ | ID | IP Address | Host Name | Model | Chassis Name | Firmware | Status | Reason | +----+------------+-----------+-------+--------------+----------+---------+--------+ | 1 | 10.x.x.x | SLX | 3012 | SLX9250-32C | 20.2.3d | Success | | +----+------------+-----------+-------+--------------+----------+---------+--------+ Device Details --- Time Elapsed: 1m6.570042048s ---
The syslog certificate on the device is the default CA that EFA contains. EFA Intermediate CA is pushed to SLX for mutual TLS over 6514 port to receive messages from SLX.
SLX# show crypto ca certificates syslog CA certificate(Server authentication): SHA1 Fingerprint=A3:E8:F6:CB:46:F6:43:C5:D1:90:1F:A7:C6:58:93:29:77:6F:2F:8E Subject: C=US, ST=CA, O=Extreme Networks, OU=Extreme Fabric Automation Intermediate, CN=EFA Intermediate CA/emailAddress=support@extremenetworks.com Issuer: C=US, ST=CA, L=SJ, O=Extreme Networks, OU=Extreme Fabric Automation, CN=efa.extremenetworks.com/emailAddress=support@extremenetworks.com Not Before: Feb 20 22:25:26 2020 GMT Not After : Feb 17 22:25:26 2030 GMT
An enhancement updates RASlog service to use the custom certificates that EFA servers use. The certificate CLI on EFA contains a new parameter, which enables you to upload CA.
$ efa certificate server --certificate=my_server_162.pem --key=my_server_162.key --cacert=ca-chain.pem Please wait as the certificates are being installed... Certificates were installed! --- Time Elapsed: 30.946303683s ---
If third-party certificate is installed on EFA along with CA, syslog CA will be pushed to the device instead of the default EFA Intermediate CA.
SLX# show crypto ca certificates syslog CA certificate(Server authentication): SHA1 Fingerprint=32:70:EB:91:F4:6D:9C:9F:6E:35:E0:00:20:B8:1A:FF:AF:BA:0D:8A Subject: C=US, O=xyz, OU=abcd, CN=INTERIM-CN Issuer: C=US, O=xzy, OU=abcd, CN=ROOT-CN Not Before: Feb 15 14:56:08 2022 GMT Not After : Nov 11 14:56:08 2024 GMT
If you do not provide any CA certificate, the default certificates of EFA are used. If there are already registered devices, then the syslog certificate is automatically updated on these devices.
Syslog CA has the same expiry as of EFA Intermediate CA or the third-party CA. Legacy notification is sent to the users in case the certificate is going to expire in 30 days. It supports the following alerts which effects the health of EFA security subsystem.
When and intermediate CA is renewed on EFA, it is pushed to SLX.