tpm cert gen is used to generate the specified typeSpec file(s). This is the core action since the tpm cert command is designed to streamline the generation of Tungsten-specific security files for use by the tpm install and tpm update commands.
Basic examples:
shell>tpm cert gen all
shell>tpm cert gen batch
shell>tpm cert gen mysqlcerts
shell>tpm cert gen mysqlp12
shell>tpm cert gen tungsten
shell>tpm cert gen user
Advanced examples:
shell>tpm cert gen P12_FILE,JK,TS,CJ,CT
shell>tpm cert gen pfx2p12,JK,TS,CJ,CT
shell>tpm cert gen pfx2p1
shell>tpm cert gen pfx2key
shell>tpm cert gen pfx2crt
shell>tpm cert gen crt2pem
shell>tpm cert gen P12_FILE
In addition to the standard {typeSpec}
(Execute
tpm cert help typespec for a full list) the following
{typeSpec}
s are also available:
Table 10.11. typeSpecs for tpm cert gen
Option | Description |
---|---|
all , a | Runs P12_FILE,tungsten |
batch , b | Runs typeSpec defined in BATCH envvar, comma-separated |
crt2pem | Requires database cert file CRT_FILE {.crt}. Generates .pem from .crt |
env , e | Generates $CONTINUENT_ROOT/share/tungsten.env |
mysqlcerts | Runs 'sudo mysql_ssl_rsa_setup'. See note below. |
mysqlp12 | Generates a p12 file from the configured MySQL client cert files if they exist [client-cert.pem, client-key.pem and ca.pem]. The new file will be created in {certsdir}: $CONTINUENT_ROOT/generated/client-cert.p12 |
pfx | Runs pfx2p12,tungsten |
pfx2crt | Requires database cert file PFX_FILE {.pfx}, CERT_PASS. Generates .crt from .pfx |
pfx2key | Requires database cert file PFX_FILE {.pfx}, CERT_PASS. Generates .key and .key.encrypted files from .pfx file |
pfx2p12 | Requires database cert file PFX_FILE {.pfx}, STORE_PASS, CERT_PASS optional. Runs pfx2key,pfx2crt,crt2pem,P12_FILE |
tungsten , tu | Runs pre-defined: tl,jg,jk,ts,cj,ct,tj,tt,pw,jm |
user , u | Runs user-defined: TL,JG,JK,TS,CJ,CT,TJ,TT,PW,JM |
CERT_PASS
is optional for Tungsten because usually
database client certs do not have a password See
Section 5.13.2, “Configure Tungsten<>Database Secure Communication”
Further detail on mysqlcerts
typeSpec:
mysqlcerts runs sudo mysql_ssl_rsa_setup, please see https://dev.mysql.com/doc/refman/5.7/en/mysql-ssl-rsa-setup.html
From the above docs: "If openssl is present, mysql_ssl_rsa_setup looks for default SSL and RSA files [ca.pem,server-cert.pem, server-key.pem] in the MySQL data directory specified by the --datadir option, or the compiled-in data directory if the --datadir option is not given. If any of those files are present, mysql_ssl_rsa_setup creates no SSL files. Otherwise, it invokes openssl to create them, plus some additional files:
ca.pem : Self-signed CA certificate
ca-key.pem : CA private key
server-cert.pem : Server certificate
server-key.pem : Server private key
client-cert.pem : Client certificate
client-key.pem : Client private key