Raft storage with TLS certificates

In the documentation of raft configuration there is below example

I don’t understand few things

  1. Cluster is on 8201 but leader_api_addr is on 8200

  2. What is leader_ca_cert_file and how it is related to tls_cert_file in listener configuration (https://www.vaultproject.io/docs/configuration/listener/tcp#tls_cert_file)

  3. In below example there are different CA for every node - is it really possible? Are they used for TLS connection? How are they verified?

Generally I am looking for information how these certificates are used by vault

storage “raft” {
path = “/Users/foo/raft/”
node_id = “node1”

retry_join {
leader_api_addr = “http://127.0.0.2:8200
leader_ca_cert_file = “/path/to/ca1”
leader_client_cert_file = “/path/to/client/cert1”
leader_client_key_file = “/path/to/client/key1”
}
retry_join {
leader_api_addr = “http://127.0.0.3:8200
leader_ca_cert_file = “/path/to/ca2”
leader_client_cert_file = “/path/to/client/cert2”
leader_client_key_file = “/path/to/client/key2”
}
retry_join {
leader_api_addr = “http://127.0.0.4:8200
leader_ca_cert_file = “/path/to/ca3”
leader_client_cert_file = “/path/to/client/cert3”
leader_client_key_file = “/path/to/client/key3”
}
}