EFA Certificate Management

EFA requires certificates for the northbound interface and certificates for devices. Certificates in EFA are automatically generated during installation and registration of devices.

EFA Certificates

There are multiple certificates that are generated and used across the components in EFA.

  1. App Server Certificate: The certificate of EFA server for secure communication with the clients. This certificate is used on port 443 (default EFA), 8078 (monitor service of EFA), and 6514 (syslog listener on EFA).
  2. Intermediate CA Certificate: Certificate Authority, which is the issuer of client and server certificates of EFA and HTTPS certificate of SLX.
  3. Root CA Certificate: Certificate Authority, which is the issuer of Intermediate CA certificate.
  4. JWT Certificate: The RSA public key for JWT verification. This is also used to send user context from EFA to SLX.
  5. K3s Server Certificate (Internal): EFA uses K3s for management of services. This certificate is for secure communication of k3s with clients
  6. K3s CA Certificate (Internal): EFA uses K3s for management of services. These certificates are used for generating all the certificates of K3s.
  7. Host Authentication Service Certificate (Internal): The server certificate of host authentication service on EFA

Device Certificates

During the registration of an SLX device in EFA, the following certificates are installed on the device:

  1. OAuth Certificate: The public certificate for verifying an EFA token is copied to the device. This is the JWT Certificate described in EFA Certificates.
  2. Syslog Certificate: To push messages to EFA over port 6514.
  3. HTTPS Certificate: To enable secure communication with the clients.

Along with the certificate installation, the following configuration changes are done on the registered device:

  1. HTTPmode is disabled on the device, and HTTPS is enabled.
  2. OAuth2 is enabled as the primary mode of authentication. Fallback is set to "local login."

Use the efa inventory device list command to verify the status of the certificates on the device. If the Cert/Key Saved column contains "N," then certificates are not installed.