17.10 - About tlsutil - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
Release Date
July 2021
Content Type
Publication ID
English (United States)

The tlsutil utility is used to obtain and install signed certificates and private keys for use with TLS.

tlsutil Syntax

tlsutil -c [-s | -l | -u [-e expire_time]] [-d directory] [-v]
                  [-k rsa[:keylength] | ec[:named_curve]]
                  [-g "genpkey_parameters"]
                  [-z] database_name ...

tlsutil -i [-d directory] [-v] [-z [-f filename]]

tlsutil -r [-l] [-d directory] [-v]

tlsutil -t [-l] [-d directory] [-v] [-e expire_time]

tlsutil -h

tlsutil Syntax Elements

The following table contains descriptions of the tlsutil command arguments.

Command Arguments Description
-c Create one or more Certificate Signing Requests(CSR's).
-d Directory to hold certificates, keys and temporary storage. The directory must start with "/".
-e Validity threshold until certificate expiration in days.
-f File (in ZIP format) containing all signed certificates.
-g The -g option allows a quoted string of parameters to be passed to openssl genpkey to generate private keys using genpkey. Do not include "openssl genpkey" or the "-out" parameter.
-h Displays the help text and lists the valid values for named curves.
-i Installs all signed certificates and private keys.
-k The -k option provides parameters for rsa and ec private key generation. For example:
  • rsa key: Optionally specify keylength. Default is 2048.
  • ec key: Optionally specify named curve. Default is secp384r1.
-l Local node only. Note, the default is to perform operations on all nodes.
-r Remove temporary directories and other subdirectories from default locations. If the -d option is used, -r will remove <directory>/tmpdir and all subdirectories
-s The same private key and signed certificate are installed on all nodes.

The -s option is used with tlsutil -c (create CSR mode). This option creates a single CSR which can be used on any node in the system.

When the -s option is used, instead of using the output of nodenames (which may include node-specific names), only the list of database names intended to be passed to nodenames is used.

A single CSR is created. The user is responsible for using the CSR to generate a signed certificate.

When tlsutil -i is run to install the signed certificate, the single signed certificate is installed on all nodes, along with the same private key.

-t Test mode. Used to confirm that signed certificates are valid.
-u Update mode. Only create CSRs for nodes where the installed private key or certificate is missing, invalid, or the certificate is at or near expiration.
-v Verbose mode.
-z Zipped file used to hold all CSRs and signed certificates. -z has no effect when running in local mode.
The name of the directory to hold certificates, keys, and temporary storage. The directory must start with "/".
Name of the database. Teradata recommends using the fully qualified name of the database. For example: xyz.example.com.
Number of days until a certificate expires.
Name of the ZIP file that contains all of the signed certificates.
genpkey is an OpenSSL command that generates a private key.
There are several parameters for genpkey. For details on genpkey parameters, see the web. The "openssl genpkey" and "-out key_file_name" arguments are not allowed in the -g option, because tlsutil supplies those.
The name of the elliptical curve encryption cipher you want to use.
tlsutil -h lists the valid named curves.