Generating TLS Certificates and Keys

This page includes examples and sample procedures for generating certificates and keys with CREATE KEY and CREATE CERTIFICATE. To view your keys and certificates, query the CRYPTOGRAPHIC_KEYS and CERTIFICATES system tables.

For more detailed information on creating signed certificates, OpenSSL recommends the OpenSSL Cookbook. You can download this book for free.

For more information on x509 extensions, see the OpenSSL documentation.

Importing Keys and Certificates


You only need to import private keys if you intend to use its associated certificate to sign something, like a message in client-server TLS, or another certificate. That is, you only only need to import keys if its associated certificate is one of the following:

  • a client/server certificate
  • a CA certificate used to sign other certificates while in Vertica

If you only need your CA certificate to validate other certificates, you do not need to import its private key.

To import a private key:

=> CREATE KEY imported_key TYPE 'RSA' AS '-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----';


To import a CA certificate that only validates other certificates (no private key):

=> CREATE CA CERTIFICATE imported_validating_ca AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----';

To import a CA that can both validate and sign other certificates (private key required)

=> CREATE CA CERTIFICATE imported_signing_ca AS '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
KEY ca_key;

To import a client/server certificate, you must specify its private key and CA:

SIGNED BY imported_ca KEY imported_key;

Generating Private Keys

To generate an 2048-bit RSA private key:

=> CREATE KEY new_key TYPE 'RSA' LENGTH 2048;

Generating Certificates

The subjects of CA certificates must be different from the subjects of the certificates they sign.

Self-Signed CA Certificates

Certificate Authorities (CA) are trusted entities that use their own CA certificates to sign and validate other certificates. This example generates a self-signing root CA.

While self-signed CA certificates are convenient, you should always use a proper certificate authority in a production environment.

  1. Generate or import a private key.
  2. Generate and sign the certificate with the private key.
    SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=Vertica Root CA'
    VALID FOR days_valid
    EXTENSIONS 'authorityKeyIdentifier' = 'keyid:always,issuer', 'nsComment' = 'Vertica generated root CA cert'
    KEY ca_key;

Intermediate CA Certificates

In addition to server certificates, CAs can also sign the certificates of other CAs. This process produces an intermediate CA and a chain of trust between the top-level CA and the intermediate CA. These intermediate CAs can then sign other certificates.

Intermediate CA certificates generated with CREATE CERTIFICATE cannot sign other CA certificates.

  1. Generate or import a private key.
  2. Generate a CA certificate, specifying its private key and signing CA.
=> CREATE CERTIFICATE intermediate_ca
SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=Vertica intermediate CA'
SIGNED BY ca_cert
VALID FOR days_valid
KEY intermediate_ca_key;

Server and Client Certificates

The value for the extendedKeyUsage extension will differ based on your use case:

  • Server certificate:
  • 'extendedKeyUsage' = 'serverAuth',
  • Server certificate with Internode Encryption enabled:
  • 'extendedKeyUsage' = 'serverAuth, clientAuth',
  • Client certificate:
  • 'extendedKeyUsage' = 'clientAuth',
  1. Generate or import a CA certificate. Since this CA will be used to sign the client/server certificate, if you import your CA certificate, you must also import its private key.
  2. Generate and sign the certificate with the CA certificate, specifying the correct value for the extendedKeyUsage extension. For example, to create a server certificate:
  3. => CREATE CERTIFICATE server_cert
    SUBJECT '/C=country_code/ST=state_or_province/L=locality/O=organization/OU=org_unit/CN=common_name
    SIGNED BY ca_cert
    EXTENSIONS 'authorityKeyIdentifier' = 'keyid,issuer:always', 'nsCertType' = 'server',
               'extendedKeyUsage' = 'serverAuth',
               'subjectAltName' = 'DNS.1:alt_hostname,IP:IP_address'
    KEY server_key;