Creates or imports a certificate, Certificate Authority (CA), or intermediate CA. These certificates can be used with ALTER TLS CONFIGURATION to set up client-server TLS, LDAPLink TLS, LDAPAuth TLS, and internode TLS.

CREATE CERTIFICATE generates x509v3 certificates.


CREATE [CA] CERTIFICATE certificate_name 
    {AS 'cert' [KEY key_name] 
    | SUBJECT 'subject_name'
      [ SIGNED BY ca_cert ]
      [ VALID FOR days ]
      [ EXTENSIONS 'ext' = 'val',... ]
      [ KEY key_name ]}


CA Specifies the certificate as a CA or intermediate certificate. Excluding this argument will create a normal certificate.

The name of the certificate.


The contents of the imported certificate.

This parameter should include the entire chain of certificates, excluding the CA certificate.


The name of the key.

This parameter only needs to be set for client/server certificates and CA certificates that you intend to sign other certificates with while in Vertica. If your imported CA certificate will only be used for validating other certificates, you do not need to specify a key.

'subject_name' The entity to issue the certificate to.

The name of the CA that signed the certificate.

When adding a CA certificate, this parameter is optional. Specifying it will create an intermediate CA that cannot be used to sign other CA certificates.

When creating a certificate, this parameter is required.

days The number of days that the certificate is valid.
'ext' = 'val'

Specifies certificate extensions. For a full list of extensions, see the OpenSSL documentation.


The name of the certificate's private key.

When importing a certificate, this parameter is required.



Default Extensions

CREATE CERTIFICATE generates x509v3 certificates and includes several extensions by default. These differ based on the type of certificate you create:

CA Certificate
  • 'basicConstraints' = 'critical, CA:true'
  • 'keyUsage' = 'critical, digitalSignature, keyCertSign'
  • 'nsComment' = Vertica generated [CA] certificate'
  • 'subjectKeyIdentifier' = 'hash'
  • 'basicConstraints' = 'CA:false'
  • 'keyUsage' = 'critical, digitalSignature, keyEncipherment'


See Generating TLS Certificates and Keys.

See Also