For a production Neo4j server I need to use a SSL certificate that is not self-signed. I will post lessons learned in the response below.
Asked
Active
Viewed 5,696 times
3 Answers
4
sudo vi /etc/neo4j/neo4j-server.properties
uncomment org.neo4j.server.webserver.address=0.0.0.0
check: org.neo4j.server.webserver.https.enabled=true
check: org.neo4j.server.webserver.https.port=7473
change: org.neo4j.server.webserver.https.cert.location=/var/ssl/neo4j/server.crt
change: org.neo4j.server.webserver.https.key.location=/var/ssl/neo4j/server.key
now set up access to https note: both the private key and the certificate need to be in DER format
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
Have server.csr (the certificate signing request) signed by the Certificate Authority of your choice.
To install the signed certificate, save it as server.pem and execute the following:
sudo mkdir -p /var/ssl/neo4j
sudo openssl x509 -outform der -in server.pem -out /var/ssl/neo4j/server.crt
sudo openssl rsa -in server.key -inform PEM -out /var/ssl/neo4j/server.key -outform DER
rvaneijk
- 663
- 6
- 20
-
See also [use self-signed certificates in Neo4j](http://stackoverflow.com/questions/29716817/how-to-use-custom-self-signed-certificates-in-neo4j-instead-of-snakeoil-cert). – rvaneijk Apr 19 '15 at 20:58
1
If your neo4j server in public subnet and you want a valid SSL to protect data in transit.
For certificate generation, you can either use native AWS certificates generates or LetsEncrypt.
LetsEncrypt - Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge.
Install LetsEncrypt-
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot
Generate free certificate-
$ sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
# Change group of all letsencrypt files to neo4j
sudo chgrp -R neo4j /etc/letsencrypt/*
# Make sure all directories and files are group readable.
sudo chmod -R g+rx /etc/letsencrypt/*
set up symlinks and the directory structure neo4j expects
cd /var/lib/neo4j/certificates
sudo mkdir revoked trusted bak
# Move old generated certificates into a backup directory
sudo mv neo4j.* bak
export MY_DOMAIN=graph.somehost.com
# Configure cert neo4j will use
sudo ln -s /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem neo4j.cert
# Configure private key neo4j will use
sudo ln -s /etc/letsencrypt/live/$MY_DOMAIN/privkey.pem neo4j.key
# Indicate that this cert is trusted for neo4j
sudo ln -s /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem trusted/neo4j.cert
update Neo4jConf file
dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=your.hostname.com
bolt.ssl_policy=default
dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates
dbms.ssl.policy.default.allow_key_generation=false
dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/neo4j.key
dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/neo4j.cert
dbms.ssl.policy.default.revoked_dir=/var/lib/neo4j/certificates/revoked
dbms.ssl.policy.default.client_auth=NONE
Restart All nodes.
ankursingh1000
- 1,349
- 1
- 15
- 21
0
Thanks rvaneijk. It works for me.
To install the signed certificate (Which is obtained from your CA). Keep your pem and key file in same folder.
- Create certificate in (der format) with extension .crt
sudo openssl x509 -outform der -in your_server_pem.pem -out /.crt
- Create DER formatted key
sudo openssl rsa -in server.key -inform PEM -out /.key -outform DER
