Creating Secure Credentials from a Certificate Authority
- Last Updated: April 14, 2026
- 2 minute read
- MarkLogic Server
- Version 11.0
- Documentation
Once you have created a CA as described in Creating a Certificate Authority, you can use the CA to create a client certificate and private key to build a secure credential.
Use pki:authority-create-client-certificate() to create a client certificate with PEM-encoded public/private keys. Next, use sec:create-credential() to generate and insert the credential.
For example, to create a secure credential, named acme-cred, from the acme-ca CA that includes PEM-encoded public and private keys, a username and password, and that enables access to the target, https://MLserver:8010/.*, do the following:
xquery version "1.0-ml";
import module namespace sec = "http://marklogic.com/xdmp/security"
at "/MarkLogic/security.xqy";
import module namespace pki = "http://marklogic.com/xdmp/pki"
at "/MarkLogic/pki.xqy";
declare namespace x509 = "http://marklogic.com/xdmp/x509";
let $tmp :=
pki:authority-create-client-certificate(
xdmp:credential-id("acme-ca"),
element x509:subject {
element x509:countryName {"US"},
element x509:stateOrProvinceName {"California"},
element x509:localityName {"San Carlos"},
element x509:organizationName {"Acme Inc."},
element x509:organizationalUnitName {"Engineering"},
element x509:commonName {"Elmer Fudd"},
element x509:emailAddress {"elmer.fudd@acme.com"}
},
fn:current-dateTime(),
fn:current-dateTime() + xs:dayTimeDuration("P365D"))
let $cert := $tmp[1]
let $privkey := $tmp[2]
return sec:create-credential(
"acme-cred", "A credential with user/password and certificate",
"admin", "admin", $cert, $privkey,
fn:false(),
sec:uri-credential-target("https://MLserver:8010/.*", "digest"),
xdmp:permission("admin","read"))
To create a secure credential, named simple-cred, that uses only a username and password, do the following:
xquery version "1.0-ml";
import module namespace sec = "http://marklogic.com/xdmp/security"
at "/MarkLogic/security.xqy";
sec:create-credential(
"simple-cred", "A simple credential without a certificate",
"admin", "admin", (), (),
fn:false(),
sec:uri-credential-target("https://MLserver:8010/.*", "digest"),
xdmp:permission("admin","read"))
As described in Configuring SSL on App Servers, MarkLogic Server app servers authenticate clients by means of a host certificate associated with a certificate template. The following example shows how to create a host certificate using the CA described in Creating a Certificate Authority and import it into the myTemplate certificate template. For details on how to create a certificate template, see Creating a Certificate Template.
xquery version "1.0-ml";
import module namespace pki = "http://marklogic.com/xdmp/pki"
at "/MarkLogic/pki.xqy";
declare namespace x509 = "http://marklogic.com/xdmp/x509";
let $tmp :=
pki:authority-create-host-certificate(
xdmp:credential-id("acme-ca"),
element x509:subject {
element x509:countryName {"US"},
element x509:stateOrProvinceName {"California"},
element x509:localityName {"San Carlos"},
element x509:organizationName {"Acme Inc."},
element x509:organizationalUnitName {"Engineering"},
element x509:commonName {"MLserver.marklogic.com"},
element x509:emailAddress {"me@marklogic.com"}
},
fn:current-dateTime(),
fn:current-dateTime() + xs:dayTimeDuration("P365D"),
"www.eng.acme.com", "1.2.3.4")
let $template := pki:template-get-id(
pki:get-template-by-name("myTemplate"))
let $cert := $tmp[1]
let $privkey := $tmp[2]
return pki:insert-host-certificate($template, $cert, $privkey)