EOS mTLS Configuration
EOS supports the use of mutual TLS (mTLS) for gRPC, RESTCONF and eAPI services. This allows the use of certificates, signed by a recognized and trusted CA, for authentication to gNMI and other gRPC based services.
By default only certificates signed with Arista's CA are trusted. In order to generate and sign certificates for mTLS authentication, an operator will need to install and configure a certifying authority (CA) that is used for signing certificates that are generated on network elements as well as the servers that will be interacting with the gRPC services. The necessary certificates for establishing the chain of trust will need to be imported into the switches and tools interacting with the switches.
This document outlines the necessary steps to generate certificate signing requests (CSR) on arista devices, sign the certificates and import these into the switches.
- Setup a private certificate authority (CA). This document uses easy-rsa
- Generate CSRs from the switch as well as for the host that will be initiating connections to the switch using mTLS as the authentication mechanism.
- Sign the CSRs using the CA tools.
- Copy the relevant elements to the switch (signed server certificate and CA certificate).
- Configure the switch to use the certificates and the associated CA certificate to perform mTLS authentication.
- Initiate connections from the clients to the switch to execute gNMI RPCs.
The simple installation of Easy-RSA is well documented in the Easy RSA quick start guide. For a more durable installation you're encouraged to review the Easy-RSA documentation and customize the settings to your environment.
Easy-RSA CA parameters
easy RSA version: 3.0.8
As of this writing EOS only supports RSA certificates, this differs from the default configuration of Easy-RSA. The
following variable in the
vars file will need to be set in order to generate the appropriate certificate type.
set_var EASYRSA_ALGO "rsa"
easyrsa build-ca command to create the necessary certificate signing infrastructure within easyrsa. This will
ca.crt certificate which can be imported into the PKI validation chain of the switches and other hosts in
your PKI domain. This can also be used in a standalone manner with most gnmi clients.
In our case, this CA certificate resides in:
This will need to be imported into the network elements where you're using mTLS for authentication.
Generate a Local Client Certificate
This will be used by local clients (gnmi, gnoi, gribi, etc.) connecting to the switches in order to authenticate.
gnmi-client.cnf configuration file provided in the following
openssl command is used to create the Subject
Alternate Name IP address entry associated with the client certificate. This is optional and is not required for
mkdir ~/gnmi-client-cert cd ~/gnmi-client-cert openssl req -out gnmi-client.csr -newkey rsa:2048 -nodes -keyout gnmi-client.key -config gnmi-client.cnf
The above commands will generate a private key as well as the Certificate Signing Request (CSR)
Sign the Local Client Certificate with Easy-RSA
Note, that this is going to be a client certificate. As our gnmi client will be talking to the gnmi server on the switch.
cd ~/easy-rsa ./easyrsa import-req ../gnmi-client-cert gnmi-client.csr gnmi-client ./easyrsa sign-req client gnmi-client
sign-req command generates the following output.
Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 ... snipped ... subject= countryName = us stateOrProvinceName = mn localityName = minneapolis organizationName = arista-lab commonName = firstname.lastname@example.org X509v3 Subject Alternative Name: IP:192.168.1.11 Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /home/sulrich/easy-rsa/pki/easy-rsa-3625384.5yQThV/tmp.kaJhk0 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'us' stateOrProvinceName :ASN.1 12:'mn' localityName :ASN.1 12:'minneapolis' organizationName :ASN.1 12:'arista-lab' commonName :ASN.1 12:'email@example.com' Certificate is to be certified until Oct 10 19:45:42 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /home/sulrich/easy-rsa/pki/issued/gnmi-client.crt
Switch Side Actions
- Generate a key pair on the switch the key will be named
security pki key generate rsa 4096 v1.key
- Generate the CSR
security pki certificate generate signing-request key v1.key
- Capture the CSR text into a file and copy this to the CA server.
Sign the Switch CSR with Easy-RSA
Note that in this case we're generating a server certificate.
cd ~/easy-rsa ./easyrsa import-req ../v1.csr v1 ./easyrsa sign-req server v1
This will generate the signed certificate and place it into the easy-rsa local store.
- Copy this to the switch and import it into the switch's certificate store.
copy file:/mnt/flash/v1.crt certificate:v1.crt
Copy the Private CA Certificate to the Switch
You will need to copy the
CA.crt (commonly in
<easyrsa_root>/pki/ca.crt) to the switch and add it to the list of
certificates. In the following example the file has been copied to the switch as
copy flash:demo-ca.crt certificate:
SSL Profile Configuration
Configure the necessary
ssl profile and include the
demo-ca.crt in the list of trusted CAs.
management security ssl profile test-arista certificate v1.crt key v1.key trust certificate demo-ca.crt !
The following configuration associates the gnmi service withthe associated ssl profile and enables it for use with mTLS for authentication.
management api gnmi transport grpc default ssl profile test-arista provider eos-native !
At this point the switch is configured to accept connections from clients with valid, signed certificates.
Useful Troubleshooting Commands
show management api gnmi
This command enables you to determine the operational state of the gnmi process as well as whether or not the ssl profile is considered valid.
show management security ssl profile
This command enables you to see the state of the ssl profiles and whether there are issues with the validation chain.
Clocks and Certificate Lifetime
Certificates should be created with a finite lifetime and rotated within that lifetime. However, if the clocks on the switch are grossly off this may impact certificate operation. Make sure that the clock on the switch is set correctly and synchronized to a reliable time source.
gnmi (Arista Client)
gnmi -addr 192.168.1.21:6030 \ -username admin -password arista \ -cafile easy-rsa/pki/ca.crt \ -certfile easy-rsa/pki/issued/gnmi-client.crt \ -keyfile gnmi-client/gnmi-client.key capabilities
gnmic -a 192.168.1.21:6030 -u admin -p arista \ --tls-ca easy-rsa/pki/ca.crt \ --tls-cert easy-rsa/pki/issued/gnmi-client.crt \ --tls-key gnmi-client/gnmi-client.key capabilities