Configuring Signed Certificates | SQL Engine 17.10 | Teradata Vantage - 17.10 - Configuring Signed Certificates and Private Keys - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
Release Date
July 2021
Content Type
Publication ID
English (United States)

TLS requires each database and Unity server to have a signed certificate and private key.

Generating the signed certificates requires the customer’s private key which is not available on the database servers.

Two command line tools are provided for configuring and installing certificates and keys:
  • The tlsutil tool generates the Certificate Signing Requests (CSRs) and installs the certificates and private keys. See About tlsutil.
  • The nodenames tool is invoked by tlsutil to obtain a list of the names that a node is known by for inclusion in the CSR and signed certificate. nodenames is also useful for troubleshooting some DNS issues. See About nodenames.

The process is to create CSRs and private keys for a single node or for each node in the database and collect the CSR files at the node that is running tlsutil. By default, the CSR files are placed in the directory /opt/teradata/tdat/tgtw/site/tls/tmpdir/newcsrs.

Each private key is saved in a temporary location and is not installed at this time. The private key never leaves the database server it was created for.


  • DNS must be configured for tlsutil and nodenames to work.

Generate and Install Signed Certificates and Private Keys

Perform the following steps to generate and install signed certificates and private keys.

Signed certificates cannot be created on the Teradata nodes at a customer site.
  1. Log in as root on an SQL Engine node. You may perform this process from any node. The node used for creating the CSRs must be the same node used to install the signed certificates.
  2. Create CSR(s) and private key(s). You may create a unique CSR for each node or a single CSR that is used on all nodes in a system. Perform one of the following:
    • Create a unique CSR for every node using the default 2048 bit RSA key:
      # tlsutil -c
    • Create a unique CSR for every node using an elliptic curve key:
      # tlsutil -c -k ec:secp384r1
    • Create a single CSR for all nodes in the system:
      tlsutil -c -s
  3. Move the CSR(s) to a customer system and generate a signed certificate for each CSR.

    This step is not performed on the SQL Engine nodes. The customer site administrator uses the CSR(s) to create signed certificates using a customer-defined procedure.

    Teradata recommends that you do not use self-signed certificates.
  4. Place the signed certificates on the same SQL Engine node that tlsutil was run from earlier.
    The signed certificates must be in .PEM format.

    The signed certificates can be:

    • Placed in /opt/teradata/tdat/tgtw/site/tls/tmpdir/signedcerts. The file names of the signed certificates are arbitrary.
    • Zipped into a single ZIP file and placed in /opt/teradata/tdat/tgtw/site/tls/tmpdir/zipfiles. This requires that tlsutil -c was run with the -z option.
    • Zipped into a single ZIP file and placed in a directory of your choice
  5. Install the signed certificates and private keys on each node. Installation is done with the -i option.
    This must be run on the same database server from which tlsutil was run with the -c option.

    Perform one of the following steps:

    Option Command
    Install the signed certificates and private keys.
    tlsutil -i
    If tlsutil was initially run with the -d option to specify a different directory, the same directory must be specified in the install command.
    tlsutil -i -d directory
    Use the -z option if you want tlsutil to get the signed certificates from a zipped archive at location /opt/teradata/tdat/tgtw/site/tls/tmpdir/zipfiles/all_certs.tgz.

    To use your own location for the zipped archive file, add the -f option along with the full path to the file.

    tlsutil -i -z 
    tlsutil -i -z -f zip_file_path
  6. Remove the temporary files created from previous steps on each node. Perform one of the following steps:
    Option Command
    Remove the temporary files from the default temporary directory on all the nodes. The default temporary directory is here: /opt/teradata/tdat/tgtw/site/tls/tmpdir.
    tlsutil -r
    Clean up the temporary directory on the local node only.
    tlsutil -r -l
    If you specified your own directory use the -d option to clean up.
    tlsutil -r -d directory
  7. Optional. Test that the certificates are valid:
    tlsutil -t