EFA Server Certificate

EFA is shipped with a self-signed certificate that is generated during installation. It is signed by the EFA Intermediate CA certificate. This certificate is used on the following ports:

Third-party Certificate

You can replace server certificate with a third-party certificate acquired through trusted CAs (for example, Verisign or GoDaddy). The third-party certificate must be present in the host device that is running EFA. You can then install it with the following command:

$ efa certificate server --help
Install certificates for EFA

  efa certificate server [flags]
  efa certificate server [command]

Available Commands:
  renew       Renew certificates for EFA

      --certificate string   Certificate for EFA
      --key string           Key File for the certificate
      --cacert string        CA Certificate File


$ efa certificate server --certificate=my_server.pem --key=my_server.key --cacert=ca-chain.pem
Please wait as the certificates are being installed...
Certificates were installed!
--- Time Elapsed: 30.946303683s ---


  • If you install your own server certificate to use with the EFA HTTPS server, ensure to reinstall the certificate when you upgrade EFA.
  • Generate the third-party certificates and keys without a passphrase. Certificate installation may fail if you generate the third-party certificates and keys with passphrase.
  • Ensure that the certificate that is uploaded has validity of at least 90 days.
  • EFA relies on common name and SAN IPs of the certificate. For a single-node deployment, SAN IP field must have the management IP of the system. In multi-node deployment, ensure that the node IPs and the VIP are present.
  • If there are any multiaccess subinterfaces, ensure to add these IPs to the SAN IPs when you generate a certificate.


Expiry and Alerts

The certificate is valid till 3 years from the date of installation. It is regenerated whenever a new multiaccess subinterface is created or deleted from EFA.

Legacy notification is sent to the user if the certificate is going to expire in 30 days. If you do not renew the certificates within 7 days of expiry, a following warning message is displayed on every login to the EFA CLI.

(efa:extreme)extreme@tpvm:/apps/test/certs$ efa login
Login successful.
Warning: The certificate for 'EFA' will expire on '2022-04-08 14:43:43 +0530 IST'.
--- Time Elapsed: 5.532391719s ---
EFA server certificate supports the following alerts which effects the health of EFA security subsystem.

For more information, see Fault Management.


To renew the server certificate, use the following command:

(efa:extreme)extreme@tpvm:/apps$ efa certificate server renew
Certificate renewal is successful
--- Time Elapsed: 33.516064167s ---


  • Renewal is not applicable if the third-party certificates are installed on the system. You must upload a new certificate as described in the "Third-party certificates" section of HTTPS Certificates.
  • On renewal of certificate or a successful upload, CertificateRenewalAlert is raised which changes the health of the system to green.