The tlsutil utility is used to obtain and install signed certificates and private keys for use with TLS.
tlsutil Syntax
tlsutil -c [-s | -l | -u [-e expire_time]] [-d directory] [-v] [-k rsa[:keylength] | ec[:named_curve]] [-g "genpkey_parameters"] [-z] database_name ... tlsutil -i [-d directory] [-v] [-z [-f filename]] tlsutil -r [-l] [-d directory] [-v] tlsutil -t [-l] [-d directory] [-v] [-e expire_time] tlsutil -h
tlsutil Syntax Elements
The following table contains descriptions of the tlsutil command arguments.
Command Arguments | Description |
---|---|
-c | Create one or more Certificate Signing Requests(CSR's). |
-d | Directory to hold certificates, keys and temporary storage. The directory must start with "/". |
-e | Validity threshold until certificate expiration in days. |
-f | File (in ZIP format) containing all signed certificates. |
-g | The -g option allows a quoted string of parameters to be passed to openssl genpkey to generate private keys using genpkey. Do not include "openssl genpkey" or the "-out" parameter. |
-h | Displays the help text and lists the valid values for named curves. |
-i | Installs all signed certificates and private keys. |
-k | The -k option provides parameters for rsa and ec private key generation. For example:
|
-l | Local node only. Note, the default is to perform operations on all nodes. |
-r | Remove temporary directories and other subdirectories from default locations. If the -d option is used, -r will remove <directory>/tmpdir and all subdirectories |
-s | The same private key and signed certificate are installed on all nodes. The -s option is used with tlsutil -c (create CSR mode). This option creates a single CSR which can be used on any node in the system. When the -s option is used, instead of using the output of nodenames (which may include node-specific names), only the list of database names intended to be passed to nodenames is used. A single CSR is created. The user is responsible for using the CSR to generate a signed certificate. When tlsutil -i is run to install the signed certificate, the single signed certificate is installed on all nodes, along with the same private key. |
-t | Test mode. Used to confirm that signed certificates are valid. |
-u | Update mode. Only create CSRs for nodes where the installed private key or certificate is missing, invalid, or the certificate is at or near expiration. |
-v | Verbose mode. |
-z | Zipped file used to hold all CSRs and signed certificates. -z has no effect when running in local mode. |
- directory
- The name of the directory to hold certificates, keys, and temporary storage. The directory must start with "/".
- database_name
- Name of the database. Teradata recommends using the fully qualified name of the database. For example: xyz.example.com.
- expire_time
- Number of days until a certificate expires.
- filename
- Name of the ZIP file that contains all of the signed certificates.
- genpkey_parameters
- genpkey is an OpenSSL command that generates a private key.
- named_curve
- The name of the elliptical curve encryption cipher you want to use.