Obtaining Certificates

When the TLS identity authentication and data encryption/decryption switches (target_tls_switch and host_tls_switch) are enabled, HAF needs to use a certificate to authenticate the identities of the communication host nodes and offload nodes. Therefore, a trusted certificate is required. HAF does not provide a default certificate, and you need to manually generate one. If target_tls_switch and host_tls_switch are disabled, skip this section.

To obtain the issued HAF certificate, perform the following steps:

1. Generate a CSR file on the server that requires a certificate.
2. Export the CSR file on the server that requires the certificate.
3. Sign the certificate on the CA server.
4. Import the certificate on the server that requires the certificate.

1 is automatically performed in the installation script provided by HAF during the installation. 2 and 4 can be performed using the haf-tool CLI tool. HAF does not provide the certificate issuing function. Before exporting a CSR file, you need to set up a CA server and configure a directory for the CA server to issue the certificate.

The detailed operations are as follows:

• When the CA server is used to issue certificates, ensure that the time on each node is synchronized. Otherwise, the certificate verification fails due to the system time difference.
• The host nodes and offload nodes must use the same CA server to issue certificates.