CREATE CERTIFICATE

Creates a certificate, Certificate Authority (CA), or intermediate CA.

CA certificates can be used to sign other certificates and for parameters like SSLCA.

Syntax

CREATE [CA] CERTIFICATE certificate_name 
    {AS 'cert' [KEY key_name] 
    | SUBJECT 'subject_name'
      [ SIGNED BY ca_cert ]
      [ VALID FOR days ]
      [ EXTENSIONS 'ext' = 'val',... ]
      [ KEY key_name ]}

Parameters

CA Specifies the certificate as a CA or intermediate certificate. Excluding this argument will create a normal certificate.
certificate_name

The name of the certificate.

'cert'

The contents of the imported certificate.

This parameter should include the entire chain of certificates, excluding the CA certificate.

key_name

The name of the key.

This parameter only needs to be set for client/server certificates and CA certificates that you intend to sign other certificates with while in Vertica. If your imported CA certificate will only be used for validating other certificates, you do not need to specify a key.

'subject_name' The entity to issue the certificate to.
ca_cert

The name of the CA that signed the certificate.

When adding a CA certificate, this parameter is optional. Specifying it will create an intermediate CA that cannot be used to sign other CA certificates.

When creating a certificate, this parameter is required.

days The number of days that the certificate is valid.
'ext' = 'val'

Specifies certificate extensions. For a full list of extensions, see the OpenSSL documentation.

key_name

The name of the certificate's private key.

When importing a certificate, this parameter is required.

Privileges

Superuser

Default Extensions

CREATE CERTIFICATE includes several extensions by default. These differ based on the type of certificate you create a:

CA Certificate:
  • 'basicConstraints' = 'critical, CA:true'
  • 'keyUsage' = 'critical, digitalSignature, keyCertSign'
  • 'nsComment' = Vertica generated [CA] certificate'
  • 'subjectKeyIdentifier' = 'hash'
Certificate:
  • 'basicConstraints' = 'CA:false'
  • 'keyUsage' = 'critical, digitalSignature, keyEncipherment'

Examples

See Generating TLS Certificates and Keys.

See Also