Configure SSL Policy for Bolt server and HTTPS server

This section describes how to configure the SSL policy for Bolt and HTTPS servers.

Neo4j 3.5 allows encrypted connections with the default configuration. Self-signed certificates are automatically generated if no certificate is installed before a server starts. However, from 4.0 onwards, the default encryption setting is off and Neo4j no longer generates certificates when none are provided. As a result, Bolt server only allows plaintext connections, and HTTPS server is not enabled by default.

Table 1. Encryption and certificates differences between 3.5 and 4.x servers
3.5 Neo4j Bolt Server 4.0 Neo4j Bolt Server 3.5 Neo4j HTTPS Server 4.0 Neo4j HTTPS Server

Server Enabled

Yes

Yes

Yes

No

Encryption on client connections

Optional

Not allowed

Always

Always

Certificates

Auto-generated self-signed certificates if not provided.

None

Auto-generated self-signed certificates if not provided.

None

Default Certificates Path

$neo4jHome/certificates

None

$neo4jHome/certificates

None

Default Certificate Names

neo4j.key

neo4j.cert

private.key

public.crt

neo4j.key

neo4j.cert

private.key

public.crt

To re-enable encryption in 4.x, you have to configure the SSL policy in the neo4j.conf file. Given certificates named public.crt and private.key in folder $neo4jHome/certificates/bolt for Bolt server, and certificates with the same file names in folder $neo4jHome/certificates/https for HTTPS server. The example shows how to turn encryption back on for the Bolt server and re-enable the HTTPS server.

Example 1. Turn encryption on for Bolt 4.0 server.
dbms.connector.bolt.enabled=true
dbms.connector.bolt.tls_level=OPTIONAL 			# allows both encrypted and unencrypted driver connections

dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.base_directory=certificates/bolt
#dbms.ssl.policy.bolt.private_key=private.key 	# Optional if the file name is the same as the default.
#dbms.ssl.policy.bolt.public_certificate=public.crt 	# Optional if the file name is the same as the default.
Example 2. Enable the HTTPS 4.0 server.
dbms.connector.https.enabled=true

dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.base_directory=certificates/https
#dbms.ssl.policy.https.private_key=private.key	# Optional if the file name is the same as the default.
#dbms.ssl.policy.https.public_certificate=public.crt	# Optional if the file name is the same as the default.