Recently I ran into the problem of generating a custom certificate that does not bind to 0.0.0.0 in Neo4j. It turns out that Neo4j - in contrast to the documentation - expects DER certificates for both the public and private key.
I will post lessons learned in respons to this question.
Rob
As of 3.0 this has been changed.
Open up /etc/neo4j/neo4j.conf and uncomment and change the following line:
# dbms.directories.certificates=/PATH/TO/YOUR/CERTIFICATES
Make sure that directory contains you certificate files named neo4j.key and neo4j.cert.
Make sure the files can be written by neo4j.
If you're using only .pem files, you can just rename those to .cert and .key, they're all plain text files, .pem is just an extension.
See the reference
Directory for storing certificates to be used by Neo4j for TLS connections.
Certificates are stored in the certificates directory, and are called
neo4j.keyandneo4j.cert.
sudo vi /etc/neo4j/neo4j-server.properties
uncomment org.neo4j.server.webserver.address=0.0.0.0
check: org.neo4j.server.webserver.https.enabled=true
check: org.neo4j.server.webserver.https.port=7473
change: org.neo4j.server.webserver.https.cert.location=/var/ssl/neo4j/server.crt
change: org.neo4j.server.webserver.https.key.location=/var/ssl/neo4j/server.key
now set up access to https note: both the private key and the certificate need to be in DER format
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.pem
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem
sudo mkdir -p /var/ssl/neo4j
sudo openssl x509 -outform der -in server.pem -out /var/ssl/neo4j/server.crt
sudo openssl rsa -in server.key -inform PEM -out /var/ssl/neo4j/server.key -outform DER
See also [my notes] (http://www.blaeu.com/nl/doku.php/Notes)