All of the XCO components produce and use different certificates.
The following tables provide information about XCO certificates.
For Alerts related to Alarms or Notifications, see Fault Management - Alerts.
| Location in TPVM deployment | /apps/efadata/certs/own/tls.crt |
| Location in server deployment | /opt/efadata/certs/own/tls.crt |
| Description | The certificate of XCO server for secure communication with the clients. The same certificate is used on port 443 (default XCO), 8078 (monitor service of XCO), 6514 (syslog listener on XCO), 8079 (host authentication service of XCO) |
| Default Validity Period | Expires in 3 years from installation. Reset after every subinterface creation/upgrade |
| Impact on the system | If the certificate expires, then the server communication with SSL verification enabled will fail. Disables syslog messages from the devices |
| Renewal Procedure | Use the efa certificate server renew command as described in the XCO Server Certificate. |
| Alarm/Notification | Notification is sent to XCO subscribers from 30 days to expiry and warning message on every
login from 7 days to expiry. Notification is sent to XCO subscribers:
|
| Location in TPVM deployment | /apps/rancher/k3s/server/tls/server-ca.crt |
| Location in server deployment | /var/lib/rancher/k3s/server/tls/server-ca.crt |
| Description | XCO uses K3s for management of services. These certificates are for secure communication of K3s with clients. |
| Default Validity Period | Expires in 10 years from the date of installation. |
| Impact on the system | |
| Renewal Procedure | K3s CA. |
| Alarm/Notification |
Notification is sent to XCO subscribers:
|
| Location in TPVM deployment | /apps/efadata/certs/ca/extreme-ca-cert.pem |
| Location in server deployment | /opt/efadata/certs/ca/extreme-ca-cert.pem |
| Description | The certificate of Certificate Authority, which is the issuer of client and server certificates of XCO and HTTPS certificate of SLX. Same certificate is seen as SyslogCA on SLX |
| Default Validity Period | Expires in 10 years from the date of installation |
| Impact on the system | |
| Renewal Procedure | XCO Intermediate CA |
| Alarm/Notification | Not available Notification is sent to XCO subscribers:
|
| Location in TPVM deployment | /apps/efadata/certs/ca/extreme-ca-root.pem |
| Location in server deployment | /opt/efadata/certs/ca/extreme-ca-root.pem |
| Description | The certificate of Certificate Authority, which is the issuer of Intermediate CA certificate |
| Default Validity Period | Expires in 20 years from the date of installation |
| Impact on the system | |
| Renewal Procedure | XCO Root CA |
| Alarm/Notification | XCO Certificate Expiry Notice XCO Certificate Expired XCO Certificate Upload or Renewal |
| Location in TPVM deployment | /apps/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem |
| Location in server deployment | /opt/efadata/certs/slx-<IP>.extremenetworks.com-cert.pem |
| Description | The certificate of SLX Web Server (Apache) for secure communication with the device from XCO |
| Default Validity Period | Expires in 2 years from installation |
| Impact on the system | System will not use encryption for HTTPS requests |
| Renewal Procedure | HTTPS Certificates |
| Alarm/Notification | Notification is sent to XCO subscribers from 30 days of expiry. |
| Location in TPVM deployment | /apps/rancher/k3s/server/tls/ |
| Location in server deployment | /var/lib/rancher/k3s/server/tls/ |
| Description | XCO uses k3s for management of services. This certificate is for secure communication of k3s with clients |
| Default Validity Period | Expires in 1 year from installation. Reset after every upgrade of XCO |
| Impact on the system | |
| Renewal Procedure | K3s Server Certificate |
| Alarm/Notification | XCO Certificate Expiry Notice |
| Location in TPVM deployment | /apps/efadata/certs/cert.crt.pem |
| Location in server deployment | /opt/efadata/certs/cert.crt.pem |
| Description | The RSA public key for JWT verification. This is also used to send user context from XCO to SLX. Same certificate is seen as Oauth certificate on SLX |
| Default Validity Period | Expires in 10 years from the date of installation |
| Impact on the system | Disables login to XCO |
| Renewal Procedure | JWT Certificate |
| Alarm/Notification | XCO Certificate Expiry Notice Managed Device Certificate Expiry Notice Managed Device Certificate Expired XCO Certificate Upload or Renewal Managed Device Certificate Upload or Renewal |
| Location in TPVM deployment | /apps/efadata/galera/galera.pem |
| Location in server deployment | /opt/efadata/galera/galera.pem |
| Description | The certificate enables SSL for the replication across the nodes. This is only applicable for multi-node deployment of XCO. |
| Default Validity Period | Expires in three years from the date of installation which is reset on every upgrade. There is no down time when the certificates are renewed. |
| Impact on the system | Replication of data between the nodes will fail. |
| Renewal Procedure | Galera Certificate |
| Alarm/Notification | NA |