Generating CSR Files
Go to the tool installation directory and run the following command to generate a CSR file:
./tools/haf-tool cert --generate
The CSR file generated on a host node is stored in the path specified by cert_path in the haf_user.conf file. The certificate of an offload node is stored in the path specified by cert_path in the haf_offload.conf file.
The name of the CSR files generated in the preceding steps is service.csr, and the private key is service.prvk (encrypted).
Option |
Description |
Mandatory |
|---|---|---|
--generate |
Keywords for generating a CSR file |
Yes |
csr_gen.sh is the internal script for generating a CSR file. It is stored in haf-tool/scripts of the installation directory and is invoked by haf_tool. The internal invoking commands are as follows:
cd tools/scripts
./csr_gen.sh -n haf -t <cert_path>
Option |
Description |
Mandatory |
|---|---|---|
-n haf |
Service name in the CSR file. This parameter cannot be modified when haf-tool invokes csr_gen.sh. It must be haf. |
Yes |
-t <cert_path> |
Path for storing the CSR file. haf-tool uses the cert_path parameter in the configuration file to invoke csr_gen.sh. |
Yes |
The private key encryption password is generated by the (gen_random_passwd) function in the internal script util.sh. The script is stored in haf-tool/scripts of the installation directory. It is sourced in csr_gen.sh and the gen_random_passwd function is internally invoked by running the following commands:
cd tools/scripts
source util.sh
gen_random_passwd <password_length>
Option |
Description |
Mandatory |
|---|---|---|
password_length |
Length of the private key encryption password. Its value must be 32 when csr_gen.sh invokes the function. |
Yes |
The kmc_tool_bin tool is used to encrypt the private key. This tool is stored in bin of the installation directory and is invoked by the csr_gen.sh script. The internal invoking command is as follows:
LD_LIBRARY_PATH=<haf_dir>/lib/ <haf_dir>/bin/kmc_tool_bin --encrypt_passwd stdin --ksfa <service_ksfa_path> --ksfb <service_ksfb_path> --output_passwd_file <service_pass_path> <<< <password>
Option |
Description |
Mandatory |
|---|---|---|
--encrypt_passwd stdin |
Character string to be encrypted. The value of <password> is read again in redirection mode. The password contains 32 characters and must be the same as the password for encrypting the private key in csr_gen.sh. |
√ |
--ksfa <service_ksfa_path> |
Path for storing the KMC primary key file. The <cert_path>/service.ksfa parameter is specified when csr_gen.sh invokes the encryption command. |
√ |
--ksfb <service_ksfb_path> |
Path for storing the KMC primary key file. The <cert_path>/service.ksfb parameter is specified when csr_gen.sh invokes the encryption command. |
√ |
--output_passwd_file <service_pass_path> |
Path for storing the encrypted password file. The <cert_path>/service.pw parameter is specified when csr_gen.sh invokes the encryption command. |
√ |
- haf_dir indicates the directory where HAF is installed.
- When invoking kmc_tool_bin, use LD_LIBRARY_PATH to specify the path of the dependency dynamic library.
- csr_gen.sh and kmc_tool_bin are internal tools of the software. You are not advised to invoke them independently from the software.