EFA Root CA
EFA is shipped with Root CA that is used to generate Intermediate CA. The Root CA is unique across each EFA and is generated during installation.
Location
- TPVM: /apps/efadata/certs/ca/extreme-ca-root.pem
- Server: /opt/efadata/certs/own/extreme-ca-root.pem
Expiry and Alerts
The EFA Root CA is valid till 20 years from the date of installation. It supports the following alerts which effects the health of EFA security subsystem:
- CertificateExpiryNoticeAlert
- CertificateExpiredAlert
- CertificateUnreadableAlert
For more information, see Fault Management.
Renewal
To renew or regenerate the Root CA, run the renewal script efa_renew_certs.sh.

Note
In TPVM, the renewal script is available in /apps/efa/ and /opt/efa/ on a server installation.sudo bash <path to the script>/efa_renew_certs.sh --type rootca
After the Root CA is updated,
- New Intermediate CA is generated
- New EFA Server Certificate is generated. If a third-party certificate is used, then the server certificate generation is skipped.
On renewal of certificate, CertificateRenewalAlert
is raised which changes the health of the
system to green.