The following tables provide information about EFA certificates.
For Alerts related to Alarm/Notifications, refer to the alerts described in the Fault Management topic.
| Certificate | Location in TPVM deployment | Location in server deployment | Description | Default Validity Period | Impact on the system | Renewal Procedure | Alarm/Notification |
|---|---|---|---|---|---|---|---|
| SSL/TLS Certificate of EFA | /apps/efadata/certs/own/tls.crt | /opt/efadata/certs/own/tls.crt | The certificate of EFA server for secure communication with the clients. The same certificate is used on port 443 (default EFA), 8078 (monitor service of EFA), 6514 (syslog listener on EFA) |
Expires in 3 years from installation. Reset after every subinterface creation/upgrade |
If the certificate expires, then the server communication with SSL verification enabled will fail. Disables syslog messages from the devices | Use the efa certificate server renew command as described in the EFA Server Certificate. | Notification is sent to EFA subscribers
from 30 days to expiry and warning message on every login from 7
days to expiry. Notification is sent to EFA subscribers:
|
| K3s CA Certificate | /apps/rancher/k3s/server/tls/server-ca.crt | /var/lib/rancher/k3s/server/tls/server-ca.crt | EFA uses K3s for management of services. These certificates are for secure communication of K3s with clients. | Expires in 10 years from the date of installation. | K3s CA. |
Notification is sent to EFA subscribers:
|
|
| Intermediate CA Certificate of EFA | /apps/efadata/certs/ca/extreme-ca-cert.pem | /opt/efadata/certs/own/ extreme-ca-cert.pem | The certificate of Certificate Authority, which is the issuer of client and server certificates of EFA and HTTPS certificate of SLX. Same certificate is seen as SyslogCA on SLX | Expires in 10 years from the date of installation | EFA Intermediate CA | Not available Notification is sent to EFA subscribers:
|
|
| Root CA Certificate of EFA | /apps/efadata/certs/ca/extreme-ca-root.pem | /opt/efadata/certs/own/ extreme-ca-root.pem | The certificate of Certificate Authority, which is the issuer of Intermediate CA certificate | Expires in 20 years from the date of installation | EFA Root CA |
EFA Certificate Expiry Notice EFA Certificate Expired EFA Certificate Upload or Renewal |
|
| HTTPS Certificate of SLX | /apps/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem | /opt/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem | The certificate of SLX Web Server (Apache) for secure communication with the device from EFA | Expires in 2 years from installation | System will not use encryption for HTTPS requests | HTTPS Certificates | Notification is sent to EFA subscribers from 30 days of expiry. |
| K3s Certificate - EFA internal | /apps/rancher/k3s/server/tls/ | /var/lib/rancher/k3s/server/tls/ | EFA uses k3s for management of services. This certificate is for secure communication of k3s with clients | Expires in 1 year from installation. Reset after every upgrade of EFA | K3s CA | EFA Certificate Expiry Notice | |
| Host Authentication Service Certificate - EFA internal | /apps/bin/hostauth-certs/cert.pem | /usr/local/bin/hostauth-certs/cert.pem | The server certificate of host authentication service on EFA |
Expires in 10 years from the date of release |
System will not use encryption for HTTPS requests | Refreshed on upgrade of EFA to next release | Not available |
| JWT Signing/Verification - EFA internal | /apps/efadata/certs/cert.crt.pem | /opt/efadata/certs/cert.crt.pem | The RSA public key for JWT verification. This is also used to send user context from EFA to SLX. Same certifcate is seen as Oauth certificate on SLX | Expires in 10 years from the date of installation | Disables login to EFA | JWT Certificate | EFA Certificate Expiry Notice Managed Device Certificate Expiry Notice Managed Device Certificate Expired EFA Certificate Upload or Renewal Managed Device Certificate Upload or Renewal |