Configuring Signed Certificates | Analytics Database (SQL Engine) | Teradata Vantage - Configuring Signed Certificates and Private Keys - Analytics Database - Teradata Vantage

Security Administration

Analytics Database
Teradata Vantage
Release Number
June 2022
English (United States)
Last Update
Product Category
Teradata Vantage™

TLS requires each database to have a signed certificate and private key.

Generating the signed certificates requires your private key which is not available on the database servers.

Two command line tools are provided for configuring and installing certificates and keys:
  • The tlsutil tool generates the Certificate Signing Requests (CSRs) and installs the certificates and private keys. See tlsutil.
  • The nodenames tool is invoked by tlsutil to obtain a list of the names that a node is known by for inclusion in the CSR and signed certificate. nodenames is also useful for troubleshooting some DNS issues. See nodenames Utility.

The process is to create CSRs and private keys for a single node or for each node in the database and collect the CSR files at the node that is running tlsutil. By default, the CSR files are placed in the directory /opt/teradata/tdat/tgtw/site/tls/tmpdir/newcsrs.

Each private key is saved in a temporary location and is not installed at this time. The private key never leaves the database server it was created for.


  • Configure DNS for tlsutil and nodenames to work.

Generate and Install Signed Certificates and Private Keys

Perform the following steps to generate and install signed certificates and private keys.

Signed certificates cannot be created on the Teradata nodes at a customer site.
  1. Log in as root on an Analytics Database node. You may perform this process from any node. The node used for creating the CSRs must be the same node used to install the signed certificates.
  2. Create CSRs and private keys. You may create a unique CSR for each node or a single CSR that is used on all nodes in a system. Perform one of the following:
    • Create a unique CSR for every node using the default 2048 bit RSA key:
      # tlsutil -c
    • Create a unique CSR for every node using an elliptic curve key:
      # tlsutil -c -k ec:secp384r1
    • Create a single CSR for all nodes in the system:
      # tlsutil -c -s
  3. Move the CSRs to a system and generate a signed certificate for each CSR.

    This step is not performed on the Analytics Database nodes. The site administrator uses the CSRs to create signed certificates using a defined procedure.

    Teradata strongly recommends that you do not use self-signed certificates.
  4. Place the signed certificates on the same Analytics Database node that tlsutil was run from earlier.
    The signed certificates must be in PEM format.

    The signed certificates can be:

    • Placed in /opt/teradata/tdat/tgtw/site/tls/tmpdir/signedcerts. The file names of the signed certificates are arbitrary.
    • Zipped into a single ZIP file and placed in /opt/teradata/tdat/tgtw/site/tls/tmpdir/all_certs.tgz. This requires that tlsutil -c was run with the -z option.
    • Zipped into a single ZIP file and placed in a directory of your choice
  5. Install the signed certificates and private keys on each node. Installation is done with the -i option.
    This must be run on the same database server from which tlsutil was run with the -c option.

    Perform one of the following steps:

    Option Command
    Install the signed certificates and private keys.
    tlsutil -i
    If tlsutil was initially run with the -d option to specify a different directory, the same directory must be specified in the install command.
    tlsutil -i -d directory
    Use the -z option if you want tlsutil to get the signed certificates from a zipped archive at location /opt/teradata/tdat/tgtw/site/tls/tmpdir/zipfiles/all_certs.tgz.

    To use your own location for the zipped archive file, add the -f option along with the full path to the file.

    tlsutil -i -z 
    tlsutil -i -z -f zip_file_path
  6. Remove the temporary files created from previous steps on each node. Perform one of the following steps:
    Option Command
    Remove the temporary files from the default temporary directory on all the nodes. The default temporary directory is here: /opt/teradata/tdat/tgtw/site/tls/tmpdir.
    tlsutil -r
    Clean up the temporary directory on the local node only.
    tlsutil -r -l
    Use the -d option to clean up if you specified your own directory.
    tlsutil -r -d directory
  7. [Optional] Test that the certificates are valid:
    tlsutil -t -e expire_time