K3s Server Certificate

Location

• TPVM: /apps/efadata/certs/ca/extreme-ca-cert.pem
• Server: /opt/efadata/certs/own/extreme-ca-cert.pem

Expiry and Alerts

The certificate is valid for one year from the date of installation which is reset on every upgrade. It supports the following alerts which effects the health of XCO security subsystem:

• CertificateExpiryNoticeAlert
• CertificateExpiredAlert
• CertificateUnreadableAlert

For more information, see Fault Management - Alerts.

Renewal

You can renew or regenerate the K3s CA by using either script or command.

You can perform the renewal of K3s Server certificate only when:

• K3s server certificate has expired
• K3s server certificates expiry is less than 90 days

Note

In TPVM, the renewal script and command are available in the /apps/efa/ and /opt/efa/ directory on a server installation.

To renew or regenerate the K3S server certificate, use the renewal script efa_k3s_renew_certs.sh.

sudo bash <path to the script>/efa_k3s_renew_certs.sh --type server

To renew or regenerate the K3S server certificate, use the efa certificate server renew command.

efa certificate server renew --cert-type

On renewal of the certificate, CertificateRenewalAlert is raised which changes the health of the system to green.