tpm cert gen is used to generate the specified typeSpec file(s). This is the core action since the tpm cert command is designed to streamline the generation of Tungsten-specific security files for use by the tpm install and tpm update commands.
Basic examples:
shell>tpm cert gen all
shell>tpm cert gen batch
shell>tpm cert gen mysqlcerts
shell>tpm cert gen mysqlp12
shell>tpm cert gen tungsten
shell>tpm cert gen user
Advanced examples:
shell>tpm cert gen P12_FILE,JK,TS,CJ,CT
shell>tpm cert gen pfx2p12,JK,TS,CJ,CT
shell>tpm cert gen pfx2p1
shell>tpm cert gen pfx2key
shell>tpm cert gen pfx2crt
shell>tpm cert gen crt2pem
shell>tpm cert gen P12_FILE
In addition to the standard {typeSpec}
(Execute
tpm cert help typespec for a full list) the following
{typeSpec}
s are also available:
CERT_PASS
is optional for Tungsten because usually
database client certs do not have a password See
Section 5.13.2, “Configure Tungsten<>Database Secure Communication”
Further detail on mysqlcerts
typeSpec:
mysqlcerts runs sudo mysql_ssl_rsa_setup, please see https://dev.mysql.com/doc/refman/5.7/en/mysql-ssl-rsa-setup.html
From the above docs: "If openssl is present, mysql_ssl_rsa_setup looks for default SSL and RSA files [ca.pem,server-cert.pem, server-key.pem] in the MySQL data directory specified by the --datadir option, or the compiled-in data directory if the --datadir option is not given. If any of those files are present, mysql_ssl_rsa_setup creates no SSL files. Otherwise, it invokes openssl to create them, plus some additional files:
ca.pem : Self-signed CA certificate
ca-key.pem : CA private key
server-cert.pem : Server certificate
server-key.pem : Server private key
client-cert.pem : Client certificate
client-key.pem : Client private key