EFA Server Certificate

EFA is shipped with a self-signed certificate that is generated during installation. It is signed by the EFA Intermediate CA certificate. This certificate is used on the following ports:

443: Secure installation of EFA
8078: Monitoring service of EFA
6514: RASlog server on port 6514 to connect with devices

Third-party Certificate

You can replace server certificate with a third-party certificate acquired through trusted CAs (for example, Verisign or GoDaddy). The third-party certificate must be present in the host device that is running EFA. You can then install it with the following command:

$ efa certificate server --help
Install certificates for EFA

Usage:
  efa certificate server [flags]
  efa certificate server [command]

Available Commands:
  renew       Renew certificates for EFA

Flags:
      --certificate string   Certificate for EFA
      --key string           Key File for the certificate
      --cacert string        CA Certificate File

Example:

$ efa certificate server --certificate=my_server.pem --key=my_server.key --cacert=ca-chain.pem
Please wait as the certificates are being installed...
Certificates were installed!
--- Time Elapsed: 30.946303683s ---

Note

If you install your own server certificate to use with the EFA HTTPS server, ensure to reinstall the certificate when you upgrade EFA.
Generate the third-party certificates and keys without a passphrase. Certificate installation may fail if you generate the third-party certificates and keys with passphrase.
Ensure that the certificate that is uploaded has validity of at least 90 days.
EFA relies on common name and SAN IPs of the certificate. For a single-node deployment, SAN IP field must have the management IP of the system. In multi-node deployment, ensure that the node IPs and the VIP are present.
If there are any multiaccess subinterfaces, ensure to add these IPs to the SAN IPs when you generate a certificate.

Location

Default certificate
- TPVM: /apps/efadata/certs/own/tls.crt
- Server: /opt/efadata/certs/own/tls.crt
Third-party Certificate
- TPVM: /apps/efadata/certs/thirdparty/tls.crt
- Server: /opt/efadata/certs/thirdparty/tls.crt
Third-party CA Certificate
- TPVM: /apps/efadata/certs/thirdparty/custom-ca-chain.pem
- Server: /opt/efadata/certs/thirdparty/ custom-ca-chain.pem

Expiry and Alerts

The certificate is valid till 3 years from the date of installation. It is regenerated whenever a new multiaccess subinterface is created or deleted from EFA.

Legacy notification is sent to the user if the certificate is going to expire in 30 days. If you do not renew the certificates within 7 days of expiry, a following warning message is displayed on every login to the EFA CLI.

(efa:extreme)extreme@tpvm:/apps/test/certs$ efa login
Password:
Login successful.
Warning: The certificate for 'EFA' will expire on '2022-04-08 14:43:43 +0530 IST'.
--- Time Elapsed: 5.532391719s ---

EFA server certificate supports the following alerts which effects the health of EFA security subsystem.

CertificateExpiryNoticeAlert
CertificateExpiredAlert
CertificateUnreadableAlert

For more information, see Fault Management.

Renewal

To renew the server certificate, use the following command:

(efa:extreme)extreme@tpvm:/apps$ efa certificate server renew
Certificate renewal is successful
--- Time Elapsed: 33.516064167s ---

Note

Renewal is not applicable if the third-party certificates are installed on the system. You must upload a new certificate as described in the "Third-party certificates" section of HTTPS Certificates.
On renewal of certificate or a successful upload, CertificateRenewalAlert is raised which changes the health of the system to green.