发表新帖
发表新帖

How to use SSL certificates in Neo4j instead of self-signed certificates (or snakeoil.cert)

前端 未结
关注
3 793
隐瞒了意图╮
隐瞒了意图╮ 2021-01-14 06:58

For a production Neo4j server I need to use a SSL certificate that is not self-signed. I will post lessons learned in the response below.

相关标签:
3条回答
  • 迷失自我
    2021-01-14 07:31

    sudo vi /etc/neo4j/neo4j-server.properties 

    uncomment org.neo4j.server.webserver.address=0.0.0.0
check: org.neo4j.server.webserver.https.enabled=true
check: org.neo4j.server.webserver.https.port=7473
change: org.neo4j.server.webserver.https.cert.location=/var/ssl/neo4j/server.crt
change: org.neo4j.server.webserver.https.key.location=/var/ssl/neo4j/server.key

    now set up access to https note: both the private key and the certificate need to be in DER format

    openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

    Have server.csr (the certificate signing request) signed by the Certificate Authority of your choice.

    To install the signed certificate, save it as server.pem and execute the following:

    sudo mkdir -p /var/ssl/neo4j
sudo openssl x509 -outform der -in server.pem -out /var/ssl/neo4j/server.crt
sudo openssl rsa -in server.key -inform PEM -out /var/ssl/neo4j/server.key -outform DER
    0 讨论(0)
  • 逝去的感伤
    2021-01-14 07:35

    Thanks rvaneijk. It works for me.

    To install the signed certificate (Which is obtained from your CA). Keep your pem and key file in same folder.

    1. Create certificate in (der format) with extension .crt

    sudo openssl x509 -outform der -in your_server_pem.pem -out /.crt

    1. Create DER formatted key

    sudo openssl rsa -in server.key -inform PEM -out /.key -outform DER

    http://www.scriptscoop2.com/t/8f3630652fcd/how-to-use-ssl-certificates-in-neo4j-instead-of-self-signed-certificat.html

    0 讨论(0)
  • 离开以前
    2021-01-14 07:45

    If your neo4j server in public subnet and you want a valid SSL to protect data in transit.

    For certificate generation, you can either use native AWS certificates generates or LetsEncrypt.

    LetsEncrypt - Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge.

    Install LetsEncrypt-

    sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot

    Generate free certificate-

    $ sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

    # Change group of all letsencrypt files to neo4j
sudo chgrp -R neo4j /etc/letsencrypt/* 
# Make sure all directories and files are group readable.
sudo chmod -R g+rx /etc/letsencrypt/*

    set up symlinks and the directory structure neo4j expects

    cd /var/lib/neo4j/certificates
sudo mkdir revoked trusted bak
# Move old generated certificates into a backup directory
sudo mv neo4j.* bak
export MY_DOMAIN=graph.somehost.com
# Configure cert neo4j will use
sudo ln -s /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem neo4j.cert
# Configure private key neo4j will use
sudo ln -s /etc/letsencrypt/live/$MY_DOMAIN/privkey.pem neo4j.key
# Indicate that this cert is trusted for neo4j
sudo ln -s /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem trusted/neo4j.cert

    update Neo4jConf file

    dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=your.hostname.com
bolt.ssl_policy=default
dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates
dbms.ssl.policy.default.allow_key_generation=false
dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/neo4j.key
dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/neo4j.cert
dbms.ssl.policy.default.revoked_dir=/var/lib/neo4j/certificates/revoked
dbms.ssl.policy.default.client_auth=NONE

    Restart All nodes.

    0 讨论(0)
 看不清?
提交回复
热议问题