EFA Server Certificate
EFA is shipped with a self-signed certificate that is generated during installation. It is signed by the EFA Intermediate CA certificate. This certificate is used on the following ports:
- 443: Secure installation of EFA
- 8078: Monitoring service of EFA
- 6514: RASlog server on port 6514 to connect with devices
Third-party Certificate
You can replace server certificate with a third-party certificate acquired through trusted CAs (for example, Verisign or GoDaddy). The third-party certificate must be present in the host device that is running EFA. You can then install it with the following command:
$ efa certificate server --help
Install certificates for EFA
Usage:
efa certificate server [flags]
efa certificate server [command]
Available Commands:
renew Renew certificates for EFA
Flags:
--certificate string Certificate for EFA
--key string Key File for the certificate
--cacert string CA Certificate File
Example:
$ efa certificate server --certificate=my_server.pem --key=my_server.key --cacert=ca-chain.pem Please wait as the certificates are being installed... Certificates were installed! --- Time Elapsed: 30.946303683s ---
Note
- If you install your own server certificate to use with the EFA HTTPS server, ensure to reinstall the certificate when you upgrade EFA.
- Generate the third-party certificates and keys without a passphrase. Certificate installation may fail if you generate the third-party certificates and keys with passphrase.
- Ensure that the certificate that is uploaded has validity of at least 90 days.
- EFA relies on common name and SAN IPs of the certificate. For a single-node deployment, SAN IP field must have the management IP of the system. In multi-node deployment, ensure that the node IPs and the VIP are present.
- If there are any multiaccess subinterfaces, ensure to add these IPs to the SAN IPs when you generate a certificate.
Location
- Default certificate
- TPVM: /apps/efadata/certs/own/tls.crt
- Server: /opt/efadata/certs/own/tls.crt
- Third-party Certificate
- TPVM: /apps/efadata/certs/thirdparty/tls.crt
- Server: /opt/efadata/certs/thirdparty/tls.crt
- Third-party CA Certificate
- TPVM: /apps/efadata/certs/thirdparty/custom-ca-chain.pem
- Server: /opt/efadata/certs/thirdparty/ custom-ca-chain.pem
Expiry and Alerts
The certificate is valid till 3 years from the date of installation. It is regenerated whenever a new multiaccess subinterface is created or deleted from EFA.
Legacy notification is sent to the user if the certificate is going to expire in 30 days. If you do not renew the certificates within 7 days of expiry, a following warning message is displayed on every login to the EFA CLI.
(efa:extreme)extreme@tpvm:/apps/test/certs$ efa login Password: Login successful. Warning: The certificate for 'EFA' will expire on '2022-04-08 14:43:43 +0530 IST'. --- Time Elapsed: 5.532391719s ---EFA server certificate supports the following alerts which effects the health of EFA security subsystem.
- CertificateExpiryNoticeAlert
- CertificateExpiredAlert
- CertificateUnreadableAlert
For more information, see Fault Management.
Renewal
To renew the server certificate, use the following command:
(efa:extreme)extreme@tpvm:/apps$ efa certificate server renew Certificate renewal is successful --- Time Elapsed: 33.516064167s ---
Note
- Renewal is not applicable if the third-party certificates are installed on the system. You must upload a new certificate as described in the "Third-party certificates" section of HTTPS Certificates.
- On renewal of certificate or a successful upload,
CertificateRenewalAlertis raised which changes the health of the system to green.