Configuring SSL certificate/key pairs Option 1: Generate certificate/key pairs (OpenSSL on Linux) $ openssl req -new -nodes -x509 -days 365 \
-out eapi_server_veos1.crt \
-keyout eapi_server_veos1.key \
-subj "/C=US/ST=Washington/L=Seattle/O=Arista Networks/OU=Arsita Northwest/CN=veos1.veoslab.lan"
# optional, for ssl authentication...
$ openssl req -new -nodes -x509 -days 365 \
-subj '/CN=opsuser' \
-out eapi_client_opsuser.crt \
-keyout eapi_client_opsuser.key
Copy the pairs to the switch's flash $ scp eapi_server_veos1.crt eapi_client_opsuser.crt admin@veos1.veoslab.lan:/mnt/flash
# optional, for ssl authentication...
$ scp eapi_server_veos1.* admin@veos1.veoslab.lan:/mnt/flash
veos1#copy flash:eapi_client_opsuser.crt certificate:
switch#copy flash:eapi_server_veos1.crt certificate:
# optional, for ssl authentication...
veos1#copy flash:eapi_server_veos1.key sslkey:
Option 2: Generate the pairs on box veos1# bash
[admin@veos1 ~]$ sudo openssl req -new -nodes -x509 -days 365 \
-out /mnt/flash/eapi_server_veos1.crt \
-keyout /mnt/flash/eapi_server_veos1.key \
-subj "/C=US/ST=Washington/L=Seattle/O=Arista Networks/OU=Arsita Northwest/CN=veos1.veoslab.lan"
[admin@veos1 ~]$ exit
veos1#copy flash:eapi_server_veos1.crt certificate:
# optional, for ssl authentication...
veos1#copy flash:eapi_server_veos1.key sslkey:
Create an SSL profile and bind it to EAPI !
management security
ssl profile EAPI
certificate eapi_server_veos1.crt key eapi_server_veos1.key
! optional for SSL based auth
trust certificate eapi_client_opsuser.crt
!
management api http-commands
protocol http
protocol https ssl profile EAPI
no shutdown
!
! verification commands:
show management security ssl profile
show management security ssl certificate
show management security ssl key
