Signing a Certificate with Your Own Certificate Authority
- Last Updated: May 20, 2026
- 1 minute read
- MarkLogic Server
- Version 12.0
- Documentation
As an alternative to using a third-party Certificate Authority, you can create your own Certificate Authority, as described in Creating a Certificate Authority. You can then use this Certificate Authority to sign the certificate request using pki:authority-sign-host-certificate-request().
Once signed, you can forward the signed certificate to any MarkLogic Server user, who can then import the signed certificate into their MarkLogic Server host, as described in Importing a Signed Certificate into MarkLogic Server.
For example, to request and sign a certificate from the mycert template created in Creating a Certificate Template, do the following:
xquery version "1.0-ml";
import module namespace pki = "http://marklogic.com/xdmp/pki"
at "/MarkLogic/pki.xqy";
declare namespace x509 = "http://marklogic.com/xdmp/x509";
let $req :=
pki:generate-certificate-request(
pki:get-template-by-name("mycert")/pki:template-id,
"ServerName", (), ())
let $cert :=
pki:authority-sign-host-certificate-request(
xdmp:credential-id("acme-ca"),
xdmp:x509-request-extract($req),
fn:current-dateTime(),
fn:current-dateTime() + xs:dayTimeDuration("P365D"))
return xdmp:x509-certificate-extract($cert)
Note:
This script returns the XML representation of the specified x.509 certificate. To return the certificate as-is, use return($cert) then import the certificate into MarkLogic Server.