tlsutil - Analytics Database - Teradata Vantage

Security Administration

Analytics Database
Teradata Vantage
Release Number
June 2022
English (United States)
Last Update
Product Category
Teradata Vantage™

The tlsutil utility is used to obtain and install signed certificates and private keys for use with TLS.

tlsutil Syntax

tlsutil -c [-s | -l | -u [-e expire_time]] [-d directory]
                  [-k rsa[:keylength] | ec[:named_curve]]
                  [-g "genpkey_parameters"] [-a filename ]
                  [-n] [-v] [-m hash_alg] [-z] database_name ...

tlsutil -i [-d directory] [-v] [-z [-f filename]]

tlsutil -r [-l] [-d directory] [-v]

tlsutil -t [-l] [-d directory] [-v] [-e expire_time]

tlsutil -h

tlsutil Syntax Elements

The following table contains descriptions of the tlsutil command arguments.

Command Arguments Description
-a Allows you to provide a list of certificate attributes for the subject in an editable file. The allowed attributes are:
  • "countryName" or "C"
  • "stateOrProvinceName" or "ST"
  • "localityName" or "L"
  • "postalCode"
  • "streetAddress"
  • "organizationName" or "O"
  • "organizationalUnitName" or "OU"
  • "emailAddress"
For example:
localityName="San Antonio"
-c Create one or more Certificate Signing Requests(CSR's).
-d Specifies the directory to hold certificates, keys and temporary storage. The directory must start with "/".
-e Sets the validity threshold until certificate expiration in days.
-f Specifies the file (in ZIP format) containing all signed certificates.
-g Allows a quoted string of parameters to be passed to openssl genpkey to generate private keys using genpkey. Do not include "openssl genpkey" or the "-out" parameter.
-h Displays the help text and lists the valid values for named curves.
-i Installs all signed certificates and private keys.
-k Provides parameters for RSA and EC private key generation. For example:
  • rsa key: Optionally specify keylength. Default is 2048.
  • ec key: Optionally specify named curve. Default is secp384r1.
-l Specifies local node only. Note, the default is to perform operations on all nodes.
-m Specifies the desired signature hash algorithm while creating the CSR. Default is sha512.
-n Indicates that there is no DNS lookup of database names. When using this option, extreme care must be taken to make sure the database names specified are actually resolvable in the environments from which clients will access the nodes.

This option is primarily intended for provisioning cloud based databases. It should not be used unless absolutely necessary. It is not needed for configuring on-premises systems.

-r Removes temporary directories and other subdirectories from default locations. If the -d option is used, -r removes directory/tmpdir and all subdirectories
-s Specifies the same private key and signed certificate are installed on all nodes.

The -s option is used with tlsutil -c. This option creates a single CSR which can be used on any node in the system.

When the -s option is used, instead of using the output of nodenames (which may include node-specific names), only the list of database names intended to be passed to nodenames is used.

A single CSR is created. The user is responsible for using the CSR to generate a signed certificate.

When tlsutil -i is run to install the signed certificate, the single signed certificate is installed on all nodes, along with the same private key.

-t Specifies test mode. Used to confirm that signed certificates are valid.
-u Specifies update mode. Only create CSRs for nodes where the installed private key or certificate is missing, invalid, or the certificate is at or near expiration.
-v Specifies verbose mode.
-z Specifies the zipped file used to hold all CSRs and signed certificates. -z has no effect when running in local mode.
The name of the directory to hold certificates, keys, and temporary storage. The directory must start with "/".
Name of the database. Teradata recommends using the fully qualified name of the database. For example:
Number of days until a certificate expires.
Name of the ZIP file that contains all of the signed certificates.
genpkey is an OpenSSL command that generates a private key.
There are several parameters for genpkey. For details on genpkey parameters, see the web. The "openssl genpkey" and "-out key_file_name" arguments are not allowed in the -g option, because tlsutil supplies those.
The name of the elliptical curve encryption cipher you want to use.
tlsutil -h lists the valid named curves.