How to use SSL certificates in Neo4j instead of self-signed certificates (or snakeoil.cert)

Question

For a production Neo4j server I need to use a SSL certificate that is not self-signed. I will post lessons learned in the response below.

Answer 1

sudo vi /etc/neo4j/neo4j-server.properties

uncomment org.neo4j.server.webserver.address=0.0.0.0
check: org.neo4j.server.webserver.https.enabled=true
check: org.neo4j.server.webserver.https.port=7473
change: org.neo4j.server.webserver.https.cert.location=/var/ssl/neo4j/server.crt
change: org.neo4j.server.webserver.https.key.location=/var/ssl/neo4j/server.key

now set up access to https note: both the private key and the certificate need to be in DER format

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

Have server.csr (the certificate signing request) signed by the Certificate Authority of your choice.

To install the signed certificate, save it as server.pem and execute the following:

sudo mkdir -p /var/ssl/neo4j
sudo openssl x509 -outform der -in server.pem -out /var/ssl/neo4j/server.crt
sudo openssl rsa -in server.key -inform PEM -out /var/ssl/neo4j/server.key -outform DER