How To: Activate Arista EOS eAPI over HTTPS with a Self Signed Certificate for NAPALM & Peering Manager

I have recently been integrating Peering Manager into my network deployment at my day job in order to help automate our BGP configuration & management. We run Arista switches running as routers across our entire footprint.

Peering Manager has NAPALM integration built into it, both for managing and deploying configuration as well as polling device status. However, for Arista devices, this requires the Arista eAPI to be enabled on the router, and it must be running in HTTPS mode. That means you need some sort of security certificate installed.

I hadn’t dealt with this before and this wasn’t straightforward. I wasn’t able to find great documentation online for how to do this. Below is my process for generating a self signed key, then using that key to generate a self-signed certificate, then using that certificate to allow HTTPS connections to the router over the management interface for eAPI command and control.

1. Generate a self signed key:

router# security pki key generate rsa 2048 self-signed.key

2. Generate a self signed certificate using that self signed key:

router# security pki certificate generate self-signed self-signed.crt key self-signed.key validity 3000

3. Configure an SSL profile to use this self signed certificate and self signed key:

router# configure
router(config)# management security
router(config)# ssl profile self-signed-certs
router(config)# certificate self-signed.crt key self-signed.key 

4. Enable the API using HTTP commands:

router# configure
router(config)# management api http-commands 
router(config)# protocol https ssl profile self-signed-certs
router(config)# no shutdown
router(config)# vrf MGMT
router(config)# no shutdown
router(config)# end

5. Ensure the eAPI is available over HTTP/HTTPS:

router# show management api http-commands
Enabled:            Yes
HTTPS server:       running, set to use port 443
HTTP server:        running, set to use port 80
Local HTTP server:  shutdown, no authentication, set to use port 8080
Unix Socket server: shutdown, no authentication
VRFs:               MGMT
Hits:               5
Last hit:           4102 seconds ago
Bytes in:           1108
Bytes out:          20238
Requests:           5
Commands:           12
Duration:           1.060 seconds
SSL Profile:        self-signed-cert, valid
FIPS Mode:          No
QoS DSCP:           0
Log Level:          none
CSP Frame Ancestor: None
TLS Protocols:      1.0 1.1 1.2
   User                 Requests       Bytes in       Bytes out    Last hit
-------------------- -------------- -------------- --------------- ----------------
   peeringmanager       5              1108           20238        4102 seconds ago

URLs
-----------------------------------
Management1 : https://{IP-Address}:443
Management1 : http://{IP-Address}:80

You should now be able to ping the router in Peering Manager and you should be able to poll BGP sessions and deploy configuration via Peering Manager.