Use this topic to learn about the third-party certificates for RASlog service (syslog from SLX).
XCO is shipped with default certificates. These are self-signed and the same certificates are used for listening to the syslog messages received from SLX.
$ efa inventory device register --ip=10.x.x.x --username=admin --password=password +----+------------+-----------+-------+--------------+----------+---------+--------+ | ID | IP Address | Host Name | Model | Chassis Name | Firmware | Status | Reason | +----+------------+-----------+-------+--------------+----------+---------+--------+ | 1 | 10.x.x.x | SLX | 3012 | SLX9250-32C | 20.2.3d | Success | | +----+------------+-----------+-------+--------------+----------+---------+--------+ Device Details --- Time Elapsed: 1m6.570042048s ---
The syslog certificate on the device is the default CA that XCO contains. XCO Intermediate CA is pushed to SLX for mutual TLS over 6514 port to receive messages from SLX.
SLX# show crypto ca certificates syslog CA certificate(Server authentication): SHA1 Fingerprint=A3:E8:F6:CB:46:F6:43:C5:D1:90:1F:A7:C6:58:93:29:77:6F:2F:8E Subject: C=US, ST=CA, O=Extreme Networks, OU=Extreme Fabric Automation Intermediate, CN=EFA Intermediate CA/emailAddress=support@extremenetworks.com Issuer: C=US, ST=CA, L=SJ, O=Extreme Networks, OU=Extreme Fabric Automation, CN=efa.extremenetworks.com/emailAddress=support@extremenetworks.com Not Before: Feb 20 22:25:26 2020 GMT Not After : Feb 17 22:25:26 2030 GMT
An enhancement updates RASlog service to use the custom certificates that XCO servers use. The certificate CLI on XCO contains a new parameter, which enables you to upload CA.
$ efa certificate server --certificate=my_server_162.pem --key=my_server_162.key --cacert=ca-chain.pem Please wait as the certificates are being installed... Certificates were installed! --- Time Elapsed: 30.946303683s ---
If a third-party certificate is installed on XCO along with CA, syslog CA will be pushed to the device instead of the default XCO Intermediate CA.
SLX# show crypto ca certificates syslog CA certificate(Server authentication): SHA1 Fingerprint=32:70:EB:91:F4:6D:9C:9F:6E:35:E0:00:20:B8:1A:FF:AF:BA:0D:8A Subject: C=US, O=xyz, OU=abcd, CN=INTERIM-CN Issuer: C=US, O=xzy, OU=abcd, CN=ROOT-CN Not Before: Feb 15 14:56:08 2022 GMT Not After : Nov 11 14:56:08 2024 GMT
If you do not provide any CA certificate, the default certificates of XCO are used. If there are already registered devices, then the syslog certificate is automatically updated on these devices.
Syslog CA has the same expiry as of XCO Intermediate CA or the third-party CA. Legacy notification is sent to the users in case the certificate is going to expire in 30 days. It supports the following alerts which effects the health of XCO security subsystem.
When and intermediate CA is renewed on XCO, it is pushed to SLX.