When you register a device in EFA, a new certificate is generated for the HTTPS server of SLX device. The certificate is generated with the default CA that EFA contains.
Following is an example of a certificate on SLX after device registration:
slx-171# show crypto ca certificates Certificate Type: https; Trustpoint: none certificate: SHA1 Fingerprint=C1:F1:2C:BF:1A:47:7B:46:5D:8F:18:99:0E:58:CF:31:8C:58:5F:CC Subject: CN=slx-10.x.x.x.extremenetworks.com Issuer: C=US, ST=CA, O=Extreme Networks, OU=Extreme Fabric Automation Intermediate, CN=EFA Intermediate CA/emailAddress=support@extremenetworks.com Not Before: Jan 10 11:12:18 2022 GMT Not After : Jan 10 11:12:18 2024 GMT
To use third-party certificates for HTTPS server on SLX, the CLI command of certificates on the EFA is extended. You need new certificate and key to install on the device. You can use the CLI command only to install certificates on a single device at once.
(efa:extreme)extreme@tpvm:/apps/test/certs$ efa certificate device install --ip=10.x.x.x --cert-type https --https-certificate server.crt --https-key my_server.key WARNING: This will restart the HTTP service on the devices and services will not be able to connect till the operation is complete. Do you want to proceed [y/n]? y +--------------+---------+ | IP Address | Status | | 10.20.61.171 | Success | +--------------+---------+ --- Time Elapsed: 38.516844258s ---
The device must have the new certificates uploaded:
slx-171# show crypto ca certificates Certificate Type: https; Trustpoint: none certificate: SHA1 Fingerprint=D8:49:5F:12:AC:FE:BB:CB:95:C2:AC:6B:AF:B6:5B:9E:24:66:59:7D Subject: CN=10.x.x.x/subjectAltName=IP=10.20.61.171 Issuer: C=US, O=xyz, OU=abcd, CN=INTERIM-CN Not Before: Feb 10 11:23:36 2022 GMT Not After : Jun 25 11:23:36 2023 GMT
To upload third-party certificates for HTTPS server on SLX, use the following CLI command. This works only to install certificates on a single device at once.
(efa:extreme)extreme@tpvm:/apps/test/certs$ efa certificate device install --ip=10.x.x.x --cert-type https --https-certificate server.crt --https-key my_server.key WARNING: This will restart the HTTP service on the devices and services will not be able to connect till the operation is complete. Do you want to proceed [y/n]? y +--------------+---------+ | IP Address | Status | | 10.20.61.171 | Success | +--------------+---------+ --- Time Elapsed: 38.516844258s ---
slx-171# show crypto ca certificates Certificate Type: https; Trustpoint: none certificate: SHA1 Fingerprint=D8:49:5F:12:AC:FE:BB:CB:95:C2:AC:6B:AF:B6:5B:9E:24:66:59:7D Subject: CN=10.x.x.x/subjectAltName=IP=10.20.61.171 Issuer: C=US, O=xyz, OU=abcd, CN=INTERIM-CN Not Before: Feb 10 11:23:36 2022 GMT Not After : Jun 25 11:23:36 2023 GMT
The HTTPS certificate generated for SLX has an expiry of two years from the date of registration. The device shows the following error message when an HTTP certificate expires:
1022 AUDIT, 2025/06/24-17:20:52 (GMT), [SEC-3112], INFO, SECURITY, admin/admin/127.0.0.1/ http/REST Interface,, SLX, Event: X509v3, Certificate Validation failed, Info: Reason = certificate has expired, Certificate Details = [Subject CN efa.extremenetworks.com, Serial 16193545342960822577 Issuer /C=US/ST=CA/O=Extreme Networks/OU=Extreme Fabric Automation Intermediate/CN=EFA Intermediate CA/emailAddress=support@extremenetworks.com].
Legacy notification is sent to the users if the certificate is going to expire in 30 days. It supports the following alerts which effects the health of EFA security subsystem:
- DeviceCertificateExpiryNoticeAlert - DeviceCertificateExpiredAlert - DeviceCertificateUnreadableAlert
For more information, see Fault Management.
To upload the HTTPS certificate to the device, use the following command:
(efa:extreme)extreme@tpvm:~$ efa certificate device install --ip=10.x.x.x --certtype= https WARNING: This will restart the HTTP service on the devices and services will not be able to connect till the operation is complete. Do you want to proceed [y/n]? y +-------------+---------+ | IP Address | Status | +-------------+---------+ | 10.x.x.x | Success | +-------------+---------+ ---Time Elapsed: 27.233017418s ---
For more information about updating the certificates, see Manual Installation of Certificates on Devices.
On renewal of certificate, CertificateRenewalAlert
is raised which
changes the health of the system to green.