K3s CA

EFA uses K3s for management of microservices which comes up with its own certificates.


Expiry and Alerts

The certificate is valid till 10 years from the date of installation which are regenerated after every upgrade. It supports the following alerts which effects the health of EFA security subsystem:

For more information, see Fault Management.


To renew or regenerate the K3S CA, use the renewal script efa_k3s_renew_certs.sh.



In TPVM, the renewal script is available in /apps/efa/ and /opt/efa/ on a serverinstallation.
sudo bash <path to the script>/efa_k3s_renew_certs.sh --type ca


If there are any third-party certificates already installed on EFA, reinstall these certificates after K3s CA certificates are regenerated.

On renewal of the certificate, CertificateRenewalAlert is raised which changes the health of the system to green.