The tlsutil utility is used to obtain and install signed certificates and private keys for use with TLS.
tlsutil -c [-s | -l | -u [-e expire_time]] [-d directory] [-v] [-k rsa[:keylength] | ec[:named_curve]] [-g "genpkey_parameters"] [-z] database_name ... tlsutil -i [-d directory] [-v] [-z [-f filename]] tlsutil -r [-l] [-d directory] [-v] tlsutil -t [-l] [-d directory] [-v] [-e expire_time] tlsutil -h
tlsutil Syntax Elements
The following table contains descriptions of the tlsutil command arguments.
|-c||Create one or more Certificate Signing Requests(CSR's).|
|-d||Directory to hold certificates, keys and temporary storage. The directory must start with "/".|
|-e||Validity threshold until certificate expiration in days.|
|-f||File (in ZIP format) containing all signed certificates.|
|-g||The -g option allows a quoted string of parameters to be passed to openssl genpkey to generate private keys using genpkey. Do not include "openssl genpkey" or the "-out" parameter.|
|-h||Displays the help text and lists the valid values for named curves.|
|-i||Installs all signed certificates and private keys.|
|-k||The -k option provides parameters for rsa and ec private key generation. For example:
|-l||Local node only. Note, the default is to perform operations on all nodes.|
|-r||Remove temporary directories and other subdirectories from default locations. If the -d option is used, -r will remove <directory>/tmpdir and all subdirectories|
|-s||The same private key and signed certificate are installed on all nodes.
The -s option is used with tlsutil -c (create CSR mode). This option creates a single CSR which can be used on any node in the system.
When the -s option is used, instead of using the output of nodenames (which may include node-specific names), only the list of database names intended to be passed to nodenames is used.
A single CSR is created. The user is responsible for using the CSR to generate a signed certificate.
When tlsutil -i is run to install the signed certificate, the single signed certificate is installed on all nodes, along with the same private key.
|-t||Test mode. Used to confirm that signed certificates are valid.|
|-u||Update mode. Only create CSRs for nodes where the installed private key or certificate is missing, invalid, or the certificate is at or near expiration.|
|-z||Zipped file used to hold all CSRs and signed certificates. -z has no effect when running in local mode.|
- The name of the directory to hold certificates, keys, and temporary storage. The directory must start with "/".
- Name of the database. Teradata recommends using the fully qualified name of the database. For example: xyz.example.com.
- Number of days until a certificate expires.
- Name of the ZIP file that contains all of the signed certificates.
- genpkey is an OpenSSL command that generates a private key.
- There are several parameters for genpkey. For details on genpkey parameters, see the web. The "openssl genpkey" and "-out key_file_name" arguments are not allowed in the -g option, because tlsutil supplies those.
- The name of the elliptical curve encryption cipher you want to use.
- tlsutil -h lists the valid named curves.