How to put an Azure App Service Certficate on an Azure VM running Neo4J

Assumptions:
  1. You are running Neo4J Community Edition 3.2.1 or greater on a Linux VM on Azure
  2. You have a wildcard SSL cert purchased from Azure and stored in an Azure keyvault
  3. You can run Powershell ISE on a Windows machine
Software Requirements:

Windows OS, (10, in my case) with the following software installed on it:

  1. Powershell ISE ( I used the 64bit version, the one that does not say (x86)
  2. Putty
  3. An FTP client like FileZilla
  4. On the linux VM on which you are running Neo4J you must have openssl v 1.0.2g or greater
Recipe

Make script copyasc.ps1 as per instructions here: https://blogs.msdn.microsoft.com/appserviceteam/2017/02/24/creating-a-local-pfx-copy-of-app-service-certificate/

On Windows 10, In PowersShell ISE (x64) running as administrator, from the directory containing the script copyasc.ps1, run:

Powershell -ExecutionPolicy Bypass .\copyasc.ps1

A .pfx file will be output to the dir in which you ran copyasc.ps1

With an FTP tool, like FileZilla, upload the .pfx file to your linux VM running neo4j.

In your Putty terminal , in which you have opened an ssh session with your linux VM, you will now extract the key and certs from the .pfx file.
To extract the key, run:

openssl pkcs12 -in appservicecertificate.pfx -out neo4jkey.pem -nocerts -nodes -password pass:

To extract the cert, run:

openssl pkcs12 -in appservicecertificate.pfx -out neo4jcert.pem -nokeys -password pass:

(on my VM, I had to use the -password arg here in the command to avoid Openssl’s “Mac verify error: invalid password?” error. Openssl’s password prompt would not accept the super long password that Azure generates.)

Now, move the resulting files to the neo4j cert dir, renaming them at the same time (according to names specified here: https://neo4j.com/docs/operations-manual/current/configuration/install-certificates/)

sudo mv neo4jcert.pem /var/lib/neo4j/certificates/neo4j.cert
sudo mv neo4jkey.pem /var/lib/neo4j/certificates/neo4j.key

Change ownership of the key and cert to the neo4j owner:

sudo chown neo4j:admin neo4j.key
sudo chown neo4j:admin neo4j.cert

Restrict permissions to the key and cert:

sudo chmod 400 neo4j.key
sudo chmod 400 neo4j.cert

Restart neo4j:

sudo neo4j restart

Confirm in browser that SSL cert is being used by neo4j successfully

Cleanup

Delete pfx file from vm: rm -rf appservicecertificate.pfx
Delete pfx file from windows 10 machine

Leave a Reply

Your email address will not be published. Required fields are marked *