Skip to main content

Securing MarkLogic Server

Creating a Certificate Authority

Secure credentials that contain PEM-encoded public and private keys can be used to control access to a CA stored in a MarkLogic Server Security database. To create and insert a CA into the Security database, use pki:create-authority().

For example, the following query creates a CA, named acme-ca:

xquery version "1.0-ml";

import module namespace pki = "http://marklogic.com/xdmp/pki" 
      at "/MarkLogic/pki.xqy";

declare namespace x509 = "http://marklogic.com/xdmp/x509";

pki:create-authority(
  "acme-ca", "Acme Certificate Authority",
  element x509:subject {
    element x509:countryName            {"US"},
    element x509:stateOrProvinceName    {"California"},
    element x509:localityName           {"San Carlos"},
    element x509:organizationName       {"Acme Inc."},
    element x509:organizationalUnitName {"Engineering"},
    element x509:commonName             {"Acme CA"},
    element x509:emailAddress           {"ca@acme.com"}
  },
  fn:current-dateTime(),
  fn:current-dateTime() + xs:dayTimeDuration("P365D"),
  (xdmp:permission("admin","read")))
In this section: