Multiple certificates are generated and used across the components in XCO.
The following tables provide information about XCO certificates.
For Alerts related to Alarm/Notifications, refer to the alerts described in Fault Management - Alerts.
| Certificate | Location in TPVM deployment | Location in server deployment | Description | Default Validity Period | Impact on the system | Renewal Procedure | Alarm/Notification |
|---|---|---|---|---|---|---|---|
| SSL/TLS Certificate of XCO | /apps/efadata/certs/own/tls.crt | /opt/efadata/certs/own/tls.crt | The certificate of XCO server for secure communication with the clients. The same certificate is used on port 443 (default XCO), 8078 (monitor service of XCO), 6514 (syslog listener on XCO), 8079 (host authentication service of XCO) |
Expires in 3 years from installation. Reset after every subinterface creation/upgrade |
If the certificate expires, then the server communication with SSL verification enabled will fail. Disables syslog messages from the devices | Use the efa certificate server renew command as described in the XCO Server Certificate. | Notification is sent to XCO subscribers from 30 days to expiry and warning message on every
login from 7 days to expiry. Notification is sent to XCO subscribers:
|
| K3s CA Certificate | /apps/rancher/k3s/server/tls/server-ca.crt | /var/lib/rancher/k3s/server/tls/server-ca.crt | XCO uses K3s for management of services. These certificates are for secure communication of K3s with clients. | Expires in 10 years from the date of installation. | K3s CA. |
Notification is sent to XCO subscribers:
|
|
| Intermediate CA Certificate of XCO | /apps/efadata/certs/ca/extreme-ca-cert.pem | /opt/efadata/certs/ca/extreme-ca-cert.pem | The certificate of Certificate Authority, which is the issuer of client and server certificates of XCO and HTTPS certificate of SLX. Same certificate is seen as SyslogCA on SLX | Expires in 10 years from the date of installation | XCO Intermediate CA | Not available Notification is sent to XCO subscribers:
|
|
| Root CA Certificate of XCO | /apps/efadata/certs/ca/extreme-ca-root.pem | /opt/efadata/certs/ca/extreme-ca-root.pem | The certificate of Certificate Authority, which is the issuer of Intermediate CA certificate | Expires in 20 years from the date of installation | XCO Root CA |
XCO Certificate Expiry Notice XCO Certificate Expired XCO Certificate Upload or Renewal |
|
| HTTPS Certificate of SLX | /apps/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem | /opt/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem | The certificate of SLX Web Server (Apache) for secure communication with the device from XCO | Expires in 2 years from installation | System will not use encryption for HTTPS requests | HTTPS Certificates | Notification is sent to XCO subscribers from 30 days of expiry. |
| K3s Certificate - XCO internal | /apps/rancher/k3s/server/tls/ | /var/lib/rancher/k3s/server/tls/ | XCO uses k3s for management of services. This certificate is for secure communication of k3s with clients | Expires in 1 year from installation. Reset after every upgrade of XCO | K3s Server Certificate | XCO Certificate Expiry Notice | |
| JWT Signing/Verification - XCO internal | /apps/efadata/certs/cert.crt.pem | /opt/efadata/certs/cert.crt.pem | The RSA public key for JWT verification. This is also used to send user context from XCO to SLX. Same certificate is seen as Oauth certificate on SLX | Expires in 10 years from the date of installation | Disables login to XCO | JWT Certificate | XCO Certificate Expiry Notice Managed Device Certificate Expiry Notice Managed Device Certificate Expired XCO Certificate Upload or Renewal Managed Device Certificate Upload or Renewal |