neo4j · renetapopova · Apr 23, 2026 · Apr 24, 2026 · Apr 24, 2026
diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc
@@ -1056,7 +1056,13 @@ dbms.ssl.policy.cluster.private_key_password=<password>
 dbms.ssl.policy.backup.private_key_password=<password>
 ----
 
-If hardcoding of clear text private key password is not feasible due to security constraints, it can be set up to use dynamic password pickup by following these steps:
+If hardcoding of clear text private key password is not feasible due to security constraints, it can be set up to use dynamic password pickup.
+
+[IMPORTANT]
+====
+Using a dynamic command requires Neo4j to be started with the `--expand-commands` option.
+For more information, see xref:configuration/command-expansion.adoc[Command expansion].
+====
 
 . Create a file containing the `cleartext` password for the private key password and encrypt it with the certificate (assuming private key for cert has password set and certificate is in `pwd`):
 +
@@ -1084,15 +1090,10 @@ To adjust paths to cert and encrypted password file, use full paths:
 +
 [source]
 ----
-dbms.ssl.policy.bolt.private_key_password=$(base64 -w 0 certificate.crt | openssl aes-256-cbc -a -d -in password.enc -pass stdin)
+dbms.ssl.policy.bolt.private_key_password=$(bash -lc 'base64 -w 0 /path/to/certificate.crt | openssl aes-256-cbc -a -d -in /path/to/password.enc -pass stdin'
 ----
-
-[NOTE]
-====
-Using a dynamic command requires Neo4j to be started with the `--expand-commands` option.
-For more information, see xref:configuration/command-expansion.adoc[Command expansion].
-====
-
++
+This example uses `bolt` in `dbms.ssl.policy.bolt.private_key_password`, but depending on what you are trying to do, it can be any of `bolt`, `https`, `cluster`, or `backup`.
 ==== Using specific cipher
 
 There are cases where Neo4j Enterprise requires the use of specific ciphers for encryptions.