Skip to main content

Securing MarkLogic Server

Signing a Certificate with Your Own Certificate Authority

As an alternative to using a third-party Certificate Authority, you can create your own Certificate Authority, as described in Creating a Certificate Authority. You can then use this Certificate Authority to sign the certificate request using pki:authority-sign-host-certificate-request().

Once signed, you can forward the signed certificate to any MarkLogic Server user, who can then import the signed certificate into their MarkLogic Server host, as described in Importing a Signed Certificate into MarkLogic Server.

For example, to request and sign a certificate from the mycert template created in Creating a Certificate Template, do the following:

xquery version "1.0-ml"; 
 
import module namespace pki = "http://marklogic.com/xdmp/pki" 
      at "/MarkLogic/pki.xqy";

declare namespace x509 = "http://marklogic.com/xdmp/x509";

let $req :=
  pki:generate-certificate-request(
    pki:get-template-by-name("mcert")/pki:template-id,
    "ServerName", (), ())
let $cert := 
  pki:authority-sign-host-certificate-request(
    xdmp:credential-id("acme-ca"),
    xdmp:x509-request-extract($req),
    fn:current-dateTime(),
    fn:current-dateTime() + xs:dayTimeDuration("P365D"))

return xdmp:x509-certificate-extract($cert)
In this section: