Syslog CA

Use this topic to learn about the third-party certificates for RASlog service (syslog from SLX).

XCO is shipped with default certificates. These are self-signed and the same certificates are used for listening to the syslog messages received from SLX.

$ efa inventory device register --ip=10.x.x.x --username=admin --password=password 
+----+------------+-----------+-------+--------------+----------+---------+--------+ 
| ID | IP Address | Host Name | Model | Chassis Name | Firmware | Status  | Reason | 
+----+------------+-----------+-------+--------------+----------+---------+--------+ 
| 1  | 10.x.x.x   | SLX       | 3012  | SLX9250-32C  | 20.2.3d  | Success |        | 
+----+------------+-----------+-------+--------------+----------+---------+--------+ 
Device Details 
--- Time Elapsed: 1m6.570042048s ---

The syslog certificate on the device is the default CA that XCO contains. XCO Intermediate CA is pushed to SLX for mutual TLS over 6514 port to receive messages from SLX.

SLX# show crypto ca certificates
syslog CA certificate(Server authentication): 
SHA1 Fingerprint=A3:E8:F6:CB:46:F6:43:C5:D1:90:1F:A7:C6:58:93:29:77:6F:2F:8E 
Subject: C=US, ST=CA, O=Extreme Networks, OU=Extreme Fabric Automation Intermediate, CN=EFA Intermediate CA/emailAddress=support@extremenetworks.com 
Issuer: C=US, ST=CA, L=SJ, O=Extreme Networks, OU=Extreme Fabric Automation, CN=efa.extremenetworks.com/emailAddress=support@extremenetworks.com 
Not Before: Feb 20 22:25:26 2020 GMT 
Not After : Feb 17 22:25:26 2030 GMT 

An enhancement updates RASlog service to use the custom certificates that XCO servers use. The certificate CLI on XCO contains a new parameter, which enables you to upload CA.

$ efa certificate server --certificate=my_server_162.pem --key=my_server_162.key --cacert=ca-chain.pem 
Please wait as the certificates are being installed... 
Certificates were installed! 
--- Time Elapsed: 30.946303683s ---

If a third-party certificate is installed on XCO along with CA, syslog CA will be pushed to the device instead of the default XCO Intermediate CA.

SLX# show crypto ca certificates 
syslog CA certificate(Server authentication): 
SHA1 Fingerprint=32:70:EB:91:F4:6D:9C:9F:6E:35:E0:00:20:B8:1A:FF:AF:BA:0D:8A 
Subject: C=US, O=xyz, OU=abcd, CN=INTERIM-CN 
Issuer: C=US, O=xzy, OU=abcd, CN=ROOT-CN 
Not Before: Feb 15 14:56:08 2022 GMT 
Not After : Nov 11 14:56:08 2024 GMT

If you do not provide any CA certificate, the default certificates of XCO are used. If there are already registered devices, then the syslog certificate is automatically updated on these devices.

Expiry and Alerts

Syslog CA has the same expiry as of XCO Intermediate CA or the third-party CA. Legacy notification is sent to the users in case the certificate is going to expire in 30 days. It supports the following alerts which effects the health of XCO security subsystem.

For more information, see Fault Management - Alerts.

Renewal

Performing a manual device update or DRC will also update the SLX syslog certificate.