From f9b0907476b52c9c5d943c267f7f16b654fe64fa Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Mon, 18 May 2026 11:58:35 +0100 Subject: [PATCH] Emphasize the use of --expand-commands when using encrypted private key (#3011) https://linear.app/neo4j/issue/DOCCORE-236/feedback-ssl-framework --- .../ROOT/pages/security/ssl-framework.adoc | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc index 3d7ff4647..c1a5f4bb2 100644 --- a/modules/ROOT/pages/security/ssl-framework.adoc +++ b/modules/ROOT/pages/security/ssl-framework.adoc @@ -1109,7 +1109,13 @@ dbms.ssl.policy.cluster.private_key_password= dbms.ssl.policy.backup.private_key_password= ---- -If hardcoding of clear text private key password is not feasible due to security constraints, it can be set up to use dynamic password pickup by following these steps: +If hardcoding of clear text private key password is not feasible due to security constraints, it can be set up to use dynamic password pickup. + +[IMPORTANT] +==== +Using a dynamic command requires Neo4j to be started with the `--expand-commands` option. +For more information, see xref:configuration/command-expansion.adoc[Command expansion]. +==== . Create a file containing the `cleartext` password for the private key password and encrypt it with the certificate (assuming private key for cert has password set and certificate is in `pwd`): + @@ -1137,15 +1143,10 @@ To adjust paths to cert and encrypted password file, use full paths: + [source] ---- -dbms.ssl.policy.bolt.private_key_password=$(base64 -w 0 certificate.crt | openssl aes-256-cbc -a -d -in password.enc -pass stdin) +dbms.ssl.policy.bolt.private_key_password=$(bash -lc 'base64 -w 0 /path/to/certificate.crt | openssl aes-256-cbc -a -d -in /path/to/password.enc -pass stdin' ---- - -[NOTE] -==== -Using a dynamic command requires Neo4j to be started with the `--expand-commands` option. -For more information, see xref:configuration/command-expansion.adoc[Command expansion]. -==== - ++ +This example uses `bolt` in `dbms.ssl.policy.bolt.private_key_password`, but depending on what you are trying to do, it can be any of `bolt`, `https`, `cluster`, or `backup`. ==== Using specific cipher There are cases where Neo4j Enterprise requires the use of specific ciphers for encryptions.