EOS mTLS Configuration
Overview
EOS supports the use of mutual TLS (mTLS) for gRPC, RESTCONF and eAPI services. This allows the use of certificates, signed by a recognized and trusted CA, for authentication to gNMI and other gRPC based services.
By default only certificates signed with Arista's CA are trusted. In order to generate and sign certificates for mTLS authentication, an operator will need to install and configure a certifying authority (CA) that is used for signing certificates that are generated on network elements as well as the servers that will be interacting with the gRPC services. The necessary certificates for establishing the chain of trust will need to be imported into the switches and tools interacting with the switches.
This document outlines the necessary steps to generate certificate signing requests (CSR) on arista devices, sign the certificates and import these into the switches.
Process Overview
- Setup a private certificate authority (CA). This document uses easy-rsa
- Generate CSRs from the switch as well as for the host that will be initiating connections to the switch using mTLS as the authentication mechanism.
- Sign the CSRs using the CA tools.
- Copy the relevant elements to the switch (signed server certificate and CA certificate).
- Configure the switch to use the certificates and the associated CA certificate to perform mTLS authentication.
- Initiate connections from the clients to the switch to execute gNMI RPCs.
Easy-RSA Setup
The simple installation of Easy-RSA is well documented in the Easy RSA quick start guide. For a more durable installation you're encouraged to review the Easy-RSA documentation and customize the settings to your environment.
Easy-RSA CA parameters
easy RSA version: 3.0.8
As of this writing EOS only supports RSA certificates, this differs from the default configuration of Easy-RSA. The
following variable in the vars file will need to be set in order to generate the appropriate certificate type.
Use the easyrsa build-ca command to create the necessary certificate signing infrastructure within easyrsa. This will
generate a ca.crt certificate which can be imported into the PKI validation chain of the switches and other hosts in
your PKI domain. This can also be used in a standalone manner with most gnmi clients.
In our case, this CA certificate resides in: ${HOME}/easy-rsa/pki/ca.crt
This will need to be imported into the network elements where you're using mTLS for authentication.
Generate a Local Client Certificate
This will be used by local clients (gnmi, gnoi, gribi, etc.) connecting to the switches in order to authenticate.
Note the gnmi-client.cnf configuration file provided in the following openssl command is used to create the Subject
Alternate Name IP address entry associated with the client certificate. This is optional and is not required for
certificates.
mkdir ~/gnmi-client-cert
cd ~/gnmi-client-cert
openssl req -out gnmi-client.csr -newkey rsa:2048 -nodes -keyout gnmi-client.key -config gnmi-client.cnf
The above commands will generate a private key as well as the Certificate Signing Request (CSR)
Sign the Local Client Certificate with Easy-RSA
Note, that this is going to be a client certificate. As our gnmi client will be talking to the gnmi server on the switch.
cd ~/easy-rsa
./easyrsa import-req ../gnmi-client-cert gnmi-client.csr gnmi-client
./easyrsa sign-req client gnmi-client
The sign-req command generates the following output.
Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020
... snipped ...
subject=
countryName = us
stateOrProvinceName = mn
localityName = minneapolis
organizationName = arista-lab
commonName = sulrich@arista.com
X509v3 Subject Alternative Name:
IP:192.168.1.11
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/sulrich/easy-rsa/pki/easy-rsa-3625384.5yQThV/tmp.kaJhk0
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'us'
stateOrProvinceName :ASN.1 12:'mn'
localityName :ASN.1 12:'minneapolis'
organizationName :ASN.1 12:'arista-lab'
commonName :ASN.1 12:'sulrich@arista.com'
Certificate is to be certified until Oct 10 19:45:42 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /home/sulrich/easy-rsa/pki/issued/gnmi-client.crt
Switch Side Actions
- Generate a key pair on the switch the key will be named
v1.key
- Generate the CSR
- Capture the CSR text into a file and copy this to the CA server.
Sign the Switch CSR with Easy-RSA
Note that in this case we're generating a server certificate.
This will generate the signed certificate and place it into the easy-rsa local store.
${HOME}/easy-rsa/pki/issued/v1.crt
- Copy this to the switch and import it into the switch's certificate store.
copy file:/mnt/flash/v1.crt certificate:v1.crt
Copy the Private CA Certificate to the Switch
You will need to copy the CA.crt (commonly in <easyrsa_root>/pki/ca.crt) to the switch and add it to the list of
certificates. In the following example the file has been copied to the switch as demo-ca.crt.
SSL Profile Configuration
Configure the necessary ssl profile and include the demo-ca.crt in the list of trusted CAs.
management security
ssl profile test-arista
certificate v1.crt key v1.key
trust certificate demo-ca.crt
!
gNMI Configuration
The following configuration associates the gnmi service with the associated ssl profile and enables it for use with mTLS for authentication.
At this point the switch is configured to accept connections from clients with valid, signed certificates.
Useful Troubleshooting Commands
show management api gnmi
This command enables you to determine the operational state of the gnmi process as well as whether or not the ssl profile is considered valid.
show management security ssl profile
This command enables you to see the state of the ssl profiles and whether there are issues with the validation chain.
Clocks and Certificate Lifetime
Certificates should be created with a finite lifetime and rotated within that lifetime. However, if the clocks on the switch are grossly off this may impact certificate operation. Make sure that the clock on the switch is set correctly and synchronized to a reliable time source.
Client Examples
gnmi (Arista Client)
gnmi -addr 192.168.1.21:6030 \
-username admin -password arista \
-cafile easy-rsa/pki/ca.crt \
-certfile easy-rsa/pki/issued/gnmi-client.crt \
-keyfile gnmi-client/gnmi-client.key capabilities
gnmic
gnmic -a 192.168.1.21:6030 -u admin -p arista \
--tls-ca easy-rsa/pki/ca.crt \
--tls-cert easy-rsa/pki/issued/gnmi-client.crt \
--tls-key gnmi-client/gnmi-client.key capabilities