XCO Intermediate CA

XCO is shipped with Intermediate CA that is used to

Generate server certificate of XCO
Generate HTTPS certificate of SLX
Connect from Syslog server of SLX

During an upgrade, the old certificates are retained, and will not be regenerated.

Location

TPVM: /apps/efadata/certs/ca/extreme-ca-cert.pem
Server: /opt/efadata/certs/own/extreme-ca-cert.pem

Expiry and Alerts

The XCO Intermediate CA is valid for 10 years from the date of installation. It supports the following alerts which effects the health of XCO security subsystem:

CertificateExpiryNoticeAlert
CertificateExpiredAlert
CertificateUnreadableAlert

For more information, see Fault Management - Alerts.

Renewal

You can renew or regenerate the Intermediate CA by using either script or command.

To renew or regenerate the Intermediate CA, run the renewal script efa_renew_certs.sh.

sudo bash <path to the script>/efa certificate server renew.sh --type intermediateca

To renew or regenerate the Intermediate CA, run the efa certificate server renew command.

efa certificate server renew --cert-type

Note

In TPVM, the renewal script and command are available in the /apps/efa/ and /opt/efa/ directory on a server installation.

After the Intermediate CA certificate is updated,

A new XCO server certificate is generated. If a third-party certificate is used, then the server certificate generation is skipped.
The Syslog certificates for the registered devices are automatically updated.
You must manually update the HTTPS certificate on the devices.

For more information about updating the certificates, see HTTPS Certificates for SLX.

On renewal of certificate, CertificateRenewalAlert is raised which changes the health of the system to green.