MarkLogic 10 and Data Hub 5.0

Latest MarkLogic releases provide a smarter, simpler, and more secure way to integrate data.

Read Blog →


Stay On Top Of Everything MarkLogic

Be the first to know! News, product information, and events delivered straight to your inbox.

Sign Me Up →

Troubleshooting for when an SSL certificate fails to import
16 February 2021 03:43 PM


MarkLogic allows the use of SSL certificates to be used when securing application servers.  This article explains some common issues seen when importing certificates, as well as methods to troubleshoot problems.

Importing a certificate into MarkLogic:

The general procedure for creating and importing a certificate into MarkLogic can be found in the docs here:

For a certificate to be successfully imported, the public key of the signed certificate must match a public key contained in the Certificate Template.  MarkLogic will create a new public/private key par for each Certificate Request that is generated within a Certificate Template.


If you are having an issue where MarkLogic is not accepting the signed certificate you should first verify that your certificate is in PEM format.  If this is not the case, you can use openssl to convert your format to PEM.  Below are examples of how to convert between various formats using openssl.

Convert a DER file to PEM: openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a P7B file to PEM: openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert a PKCS#12 file to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

If you are still experiencing issues when attempting to import a signed certificate, you should ensure that the public keys for the certificate request and signed certificate match.  This public key should also match with the key contained in the certificate template.

Use the following commands to extract the public key from the certificate request and signed certificate.

Certificate Request: openssl req -in request.csr -pubkey

Signed Certificate: openssl x509 -in certificate.crt -pubkey

To obtain the public key from the certificate request, you should use the following xquery script.  Note that this script will need to be run against the Security database by a user with admin rights.  The output of this command will also display Private key information.  If you need to provide the output of this command to support, please remove all data in the <pki:private-key> elements.

xquery version "1.0-ml";
import module namespace pki = ""
at "/MarkLogic/pki.xqy";

let $template-id := pki:template-get-id(pki:get-template-by-name("INSERT-TEMPLATE-NAME"))

cts:element-value-query(xs:QName("pki:template-id"), fn:string($template-id), "exact"))

The output of this script will contain various <pki:public-key> elements.  One of these public keys needs to match with the public key contained in your signed certificate.

(3 vote(s))
Not helpful

Comments (0)