Recently I ran into the problem of generating a custom certificate that does not bind to 0.0.0.0 in Neo4j. It turns out that Neo4j - in contrast to the documentation - expects DER certificates for both the public and private key.

I will post lessons learned in respons to this question.

Rob

sudo vi /etc/neo4j/neo4j-server.properties

uncomment org.neo4j.server.webserver.address=0.0.0.0
check: org.neo4j.server.webserver.https.enabled=true
check: org.neo4j.server.webserver.https.port=7473
change: org.neo4j.server.webserver.https.cert.location=/var/ssl/neo4j/server.crt
change: org.neo4j.server.webserver.https.key.location=/var/ssl/neo4j/server.key

now set up access to https note: both the private key and the certificate need to be in DER format

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.pem
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem
sudo mkdir -p /var/ssl/neo4j
sudo openssl x509 -outform der -in server.pem -out /var/ssl/neo4j/server.crt
sudo openssl rsa -in server.key -inform PEM -out /var/ssl/neo4j/server.key -outform DER

See also [my notes] (http://www.blaeu.com/nl/doku.php/Notes)

As of 3.0 this has been changed.

• Open up /etc/neo4j/neo4j.conf and uncomment and change the following line:

  # dbms.directories.certificates=/PATH/TO/YOUR/CERTIFICATES
  

• Make sure that directory contains you certificate files named neo4j.key and neo4j.cert.

• Make sure the files can be written by neo4j.

If you're using only .pem files, you can just rename those to .cert and .key, they're all plain text files, .pem is just an extension.

See the reference

Directory for storing certificates to be used by Neo4j for TLS connections.

Certificates are stored in the certificates directory, and are called neo4j.key and neo4j.cert.