Common Reference

tpm cert gen

tpm cert gen is used to generate the specified typeSpec file(s). This is the core action since the tpm cert command is designed to streamline the generation of Tungsten-specific security files for use by the tpm install and tpm update commands.

Basic examples:

shell> tpm cert gen all
shell> tpm cert gen batch
shell> tpm cert gen mysqlcerts
shell> tpm cert gen mysqlp12
shell> tpm cert gen tungsten
shell> tpm cert gen user

Advanced examples:

shell> tpm cert gen P12_FILE,JK,TS,CJ,CT
shell> tpm cert gen pfx2p12,JK,TS,CJ,CT
shell> tpm cert gen pfx2p1
shell> tpm cert gen pfx2key
shell> tpm cert gen pfx2crt
shell> tpm cert gen crt2pem
shell> tpm cert gen P12_FILE

In addition to the standard [typeSpec] (Execute tpm cert help typespec for a full list) the following [typeSpec]s are also available:

Option	Description	Version
`all` Aliases: `a`	Runs P12_FILE,tungsten
`batch` Aliases: `b`	Runs typeSpec defined in BATCH envvar, comma-separated.
`crt2pem`	Requires database cert file `CRT_FILE` (.crt). Generates .pem from .crt
`env` Aliases: `e`	Generates `$CONTINUENT_ROOT/share/tungsten.env`
`mysqlcerts`	Runs `sudo mysql_ssl_rsa_setup`. See note below.
`mysqlp12`	Generates a p12 file from the configured MySQL client cert files if they exist (`client-cert.pem`,`client-key.pem` and `ca.pem`). The new file will be created in `[certsdir]`: `$CONTINUENT_ROOT/generated/client-cert.p12`
`pfx`	Runs pfx2p12,tungsten
`pfx2crt`	Requires database cert file `PFX_FILE` (.pfx), `CERT_PASS`. Generates .crt from .pfx
`pfx2key`	Requires database cert file `PFX_FILE` (.pfx), `CERT_PASS`. Generates .key and .key.encrypted files from .pfx file
`pfx2p12`	Requires database cert file `PFX_FILE` (.pfx), `STORE_PASS`,`CERT_PASS` (optional). Runs pfx2key,pfx2crt,crt2pem,P12_FILE
`public`	Will create `tungsten_public.jks` from the `$CONTINUENT_HOME/share/tungsten_keystore.jks`
`tungsten` Aliases: `tu`	Runs pre-defined: tl,jg,jk,ts,cj,ct,tj,tt,pw,jm
`user` Aliases: `u`	Runs user-defined: TL,JG,JK,TS,CJ,CT,TJ,TT,PW,JM

note

CERT_PASS is optional for Tungsten because usually database client certs do not have a password See

"Enabling Security" for Tungsten Clustering deployments.
"Enabling Security" for Standalone Tungsten Replicator Deployments.

note

Further detail on mysqlcerts typeSpec:

mysqlcerts runs sudo mysql_ssl_rsa_setup, Click here for more information

From the above docs:

If openssl is present, mysql_ssl_rsa_setup looks for default SSL and RSA files [ca.pem,server-cert.pem, server-key.pem] in the MySQL data directory specified by the --datadir option, or the compiled-in data directory if the --datadir option is not given. If any of those files are present, mysql_ssl_rsa_setup creates no SSL files. Otherwise, it invokes openssl to create them, plus some additional files:

ca.pem : Self-signed CA certificate

ca-key.pem : CA private key

server-cert.pem : Server certificate

server-key.pem : Server private key

client-cert.pem : Client certificate

client-key.pem : Client private key