CREATE CERTIFICATE

Creates or imports a certificate, Certificate Authority (CA), or intermediate CA. These certificates can be used with ALTER TLS CONFIGURATION to set up client-server TLS, LDAPLink TLS, LDAPAuth TLS, and internode TLS.

CREATE CERTIFICATE generates x509v3 certificates.

Syntax

CREATE [CA] CERTIFICATE certificate_name 
    {AS 'cert' [KEY key_name] 
    | SUBJECT 'subject_name'
      [ SIGNED BY ca_cert ]
      [ VALID FOR days ]
      [ EXTENSIONS 'ext' = 'val',... ]
      [ KEY key_name ]}

Parameters

CA Specifies the certificate as a CA or intermediate certificate. Excluding this argument will create a normal certificate.
certificate_name

The name of the certificate.

'cert'

The contents of the imported certificate.

This parameter should include the entire chain of certificates, excluding the CA certificate.

key_name

The name of the key.

This parameter only needs to be set for client/server certificates and CA certificates that you intend to sign other certificates with while in Vertica. If your imported CA certificate will only be used for validating other certificates, you do not need to specify a key.

'subject_name' The entity to issue the certificate to.
ca_cert

The name of the CA that signed the certificate.

When adding a CA certificate, this parameter is optional. Specifying it will create an intermediate CA that cannot be used to sign other CA certificates.

When creating a certificate, this parameter is required.

days The number of days that the certificate is valid.
'ext' = 'val'

Specifies certificate extensions. For a full list of extensions, see the OpenSSL documentation.

key_name

The name of the certificate's private key.

When importing a certificate, this parameter is required.

Privileges

Superuser

Default Extensions

CREATE CERTIFICATE generates x509v3 certificates and includes several extensions by default. These differ based on the type of certificate you create:

CA Certificate
  • 'basicConstraints' = 'critical, CA:true'
  • 'keyUsage' = 'critical, digitalSignature, keyCertSign'
  • 'nsComment' = Vertica generated [CA] certificate'
  • 'subjectKeyIdentifier' = 'hash'
Certificate
  • 'basicConstraints' = 'CA:false'
  • 'keyUsage' = 'critical, digitalSignature, keyEncipherment'

Examples

See Generating TLS Certificates and Keys.

See Also