Obtaining the Certificate

When the TLS identity authentication and data encryption/decryption switches (target_tls_switch and host_tls_switch) are enabled, HAF needs to use a certificate to authenticate the identities of the communication host nodes and offload nodes. Therefore, a trusted certificate is required. HAF does not provide a default certificate, and you need to manually generate one. If target_tls_switch and host_tls_switch are disabled, skip this section.

To obtain the issued HAF certificate, perform the following steps:

1. Generate a CSR file on the server that requires a certificate.
2. Export the CSR file on the server that requires the certificate.
3. Sign the certificate on the CA server.
4. Import the certificate on the server that requires the certificate.

Step 1 is automatically performed in the installation script provided by HAF during the installation. Steps 2 and 4 can be performed using the haf-tool CLI tool. HAF does not provide the certificate issuing function. Before exporting a CSR file, you need to set up a CA server and configure a directory for the CA server to issue the certificate.

The detailed operations are as follows:

• When the CA server is used to issue certificates, ensure that the time on each node is synchronized. Otherwise, the certificate verification fails due to the system time difference.
• The host nodes and offload nodes must use the same CA server to issue certificates.