MarkLogic 10 and Data Hub 5.0

Latest MarkLogic releases provide a smarter, simpler, and more secure way to integrate data.

Read Blog →


Stay On Top Of Everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up →

Using KeyStore Explorer to generate CA Root and end-user (SSL) certificates for MarkLogic Server
14 August 2018 04:06 PM


This Knowledgebase article demonstrates how you can use the KeyStore Explorer tools to generate a CA Root Certificate and end-user certificates for use with MarkLogic Server (for Application Servers which are SSL enabled) and for SSL based client authentication within your applications.

KeyStore Explorer can be downloaded from

Getting Started

Start KeyStore Explorer and select Create a new KeyStore or if you have already had a keystore you can use Open an existing KeyStore

For the KeyStore type select JKS

Generating a Root Certificate Authority

The first step is to create a valid Root Certificate Authority that will be used to sign all end-user or intermediate CA certificates

Right-click within the KeyStore workspace to open the context menu and select the Generate Key Pair option from the menu

Select RSA as the Algorithm and select a Key Size (typically 2048)

After clicking on OK, most of the certificate details will already be pre-populated but you can change the Signature Algorithm, Validity and Serial Number as required.

Click on the Edit Name button

Complete the Certificate Subject details as necessary (in the example above, we're providing a Common Name, an Organization Unit and an Organization Name), then click OK to save these details.  You will see these are now listed under the Name field for the certificate.

Click on the Add Extensions button

For a Certificate Authority the Basic Constraints and Key Usage extensions are required.

Click the Green + button

Select the Key Usage Extension

Select the Certificate Signing and CRL Sign attributes.  With these selected, click OK

Click the Green + button again and this time, select the Basic Constraints Extension

Check the Subject is a CA box and click OK

Verify that both the Key Usage and the Basic Constraints Certificate Extensions are now listed and click OK

Click OK to complete the Root CA certificate generation

Assign an Alias to the newly created key

Enter a password to protect the private key

At this point the Root CA Certificate has been created

Importing the Root Certificate Authority into MarkLogic

Before you can import the Root Certificate into MarkLogic you will first need to export it from the KeyStore Explorer tool in the correct format.

Right click on the Root CA entry in the KeyStore and select Export -> Export Certificate Chain

Select X.509 as the Export Format and check the PEM checkbox, if you have only a single Root CA certificate select Head Only otherwise select Entire Chain

Specify the filename for the exported file; in the example we are using /tmp/rootca.cer (this filename and path will be used later in this article to insert the trusted certificate into MarkLogic Server).

Click Export to save the Root CA certificate to a file

And click OK to dismiss the confirmation prompt

From the Query Console run the following xquery code against the Security Database