EFA Intermediate CA
EFA is shipped with Intermediate CA that is used to
- Generate server certificate of EFA
- Generate HTTPS certificate of SLX
- Connect from Syslog server of SLX
During an upgrade, the old certificates are retained, and will not be regenerated.
Location
- TPVM: /apps/efadata/certs/ca/extreme-ca-cert.pem
- Server: /opt/efadata/certs/own/extreme-ca-cert.pem
Expiry and Alerts
The EFA Intermediate CA is valid till 10 years from the date of installation. It supports the following alerts which effects the health of EFA security subsystem:
- CertificateExpiryNoticeAlert
- CertificateExpiredAlert
- CertificateUnreadableAlert
For more information, see Fault Management.
Renewal
To renew or regenerate the Intermediate CA, run the renewal script efa_renew_certs.sh.
Note
In TPVM, the renewal script is available in /apps/efa/ and /opt/efa/ on a server installation.sudo bash <path to the script>/efa_renew_certs.sh --type intermediateca
After the Intermediate CA certificate is updated,
- New EFA Server Certificate is generated. If a third-party certificate is used, then the server certificate generation is skipped.
- The Syslog certificates for the registered devices are automatically updated.
- Youi must manually update the HTTPS certificate on the devices.
For more information about updating the certificates, see HTTPS Certificates for SLX.
On renewal of certificate, CertificateRenewalAlert is raised which changes the health of the
system to green.