HTTPS Certificates

When you register a device in EFA, a new certificate is generated for the HTTPS server of SLX device. The certificate is generated with the default CA that EFA contains.

Following is an example of a certificate on SLX after device registration:

slx-171# show crypto ca certificates

Certificate Type: https; Trustpoint: none 
certificate: 
SHA1 Fingerprint=C1:F1:2C:BF:1A:47:7B:46:5D:8F:18:99:0E:58:CF:31:8C:58:5F:CC 
Subject: CN=slx-10.x.x.x.extremenetworks.com 
Issuer: C=US, ST=CA, O=Extreme Networks, OU=Extreme Fabric Automation Intermediate, CN=EFA Intermediate CA/emailAddress=support@extremenetworks.com 
Not Before: Jan 10 11:12:18 2022 GMT 
Not After : Jan 10 11:12:18 2024 GMT

To use third-party certificates for HTTPS server on SLX, the CLI command of certificates on the EFA is extended. You need new certificate and key to install on the device. You can use the CLI command only to install certificates on a single device at once.

(efa:extreme)extreme@tpvm:/apps/test/certs$ efa certificate device install --ip=10.x.x.x
        --cert-type https --https-certificate server.crt --https-key
      my_server.key

WARNING: This will restart the HTTP service on the devices and services will not be able to connect till the operation is complete. Do you want to proceed [y/n]?

y 
+--------------+---------+
| IP Address   | Status  | 
| 10.20.61.171 | Success |
+--------------+---------+
--- Time Elapsed: 38.516844258s ---

The device must have the new certificates uploaded:

slx-171# show crypto ca certificates 

Certificate Type: https; Trustpoint: none 
certificate: 
SHA1 Fingerprint=D8:49:5F:12:AC:FE:BB:CB:95:C2:AC:6B:AF:B6:5B:9E:24:66:59:7D 
Subject: CN=10.x.x.x/subjectAltName=IP=10.20.61.171 
Issuer: C=US, O=xyz, OU=abcd, CN=INTERIM-CN 
Not Before: Feb 10 11:23:36 2022 GMT 
Not After : Jun 25 11:23:36 2023 GMT

Third-Party Certificates

To upload third-party certificates for HTTPS server on SLX, use the following CLI command. This works only to install certificates on a single device at once.

(efa:extreme)extreme@tpvm:/apps/test/certs$ efa certificate device install --ip=10.x.x.x
--cert-type https --https-certificate server.crt --https-key my_server.key

WARNING: This will restart the HTTP service on the devices and services will not be able
to connect till the operation is complete. Do you want to proceed [y/n]?
y
+--------------+---------+
| IP Address   | Status  |
| 10.20.61.171 | Success |
+--------------+---------+
--- Time Elapsed: 38.516844258s ---
The device must have the new certificates uploaded.
slx-171# show crypto ca certificates
Certificate Type: https; Trustpoint: none
certificate:
SHA1 Fingerprint=D8:49:5F:12:AC:FE:BB:CB:95:C2:AC:6B:AF:B6:5B:9E:24:66:59:7D
Subject: CN=10.x.x.x/subjectAltName=IP=10.20.61.171
Issuer: C=US, O=xyz, OU=abcd, CN=INTERIM-CN
Not Before: Feb 10 11:23:36 2022 GMT
Not After : Jun 25 11:23:36 2023 GMT

Expiry and Alerts

The HTTPS certificate generated for SLX has an expiry of two years from the date of registration. The device shows the following error message when an HTTP certificate expires:

1022 AUDIT, 2025/06/24-17:20:52 (GMT), [SEC-3112], INFO, SECURITY, admin/admin/127.0.0.1/
http/REST Interface,, SLX, Event: X509v3, Certificate Validation failed, Info: Reason =
certificate has expired,
Certificate Details = [Subject CN efa.extremenetworks.com,
Serial 16193545342960822577 Issuer /C=US/ST=CA/O=Extreme Networks/OU=Extreme Fabric
Automation Intermediate/CN=EFA Intermediate CA/emailAddress=support@extremenetworks.com].

Legacy notification is sent to the users if the certificate is going to expire in 30 days. It supports the following alerts which effects the health of EFA security subsystem:

-	DeviceCertificateExpiryNoticeAlert
-	DeviceCertificateExpiredAlert
-	DeviceCertificateUnreadableAlert

For more information, see Fault Management.

Upload or Renewal

To upload the HTTPS certificate to the device, use the following command:

(efa:extreme)extreme@tpvm:~$ efa certificate device install --ip=10.x.x.x --certtype=
https

WARNING: This will restart the HTTP service on the devices and services will not be able
to connect till the operation is complete. Do you want to proceed [y/n]?
y
+-------------+---------+
| IP Address  | Status  |
+-------------+---------+
| 10.x.x.x    | Success |
+-------------+---------+
---Time Elapsed: 27.233017418s ---

For more information about updating the certificates, see Manual Installation of Certificates on Devices.

On renewal of certificate, CertificateRenewalAlert is raised which changes the health of the system to green.