Powered by Zoomin Software. For more details please contactZoomin

MarkLogic® Server on Kubernetes

Configure a MarkLogic Cluster with a standard certificate

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
Table of Contents

Configure a MarkLogic Cluster with a standard certificate

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 14, 2026
  • 2 minute read
    • MarkLogic Server
    • Documentation

To configure a MarkLogic Cluster with a standard certificate:

  1. Obtain a certificate with a common name matching the hostname of the MarkLogic host. The certificate must be signed by a trusted Certificate Authority (CA). Either a publicly rooted CA or a private CA can be used. This example uses a private CA and a 2-node cluster.

  2. Use this script to generate a self-signed CA certificate with openSSL. The script will create ca-private-key.pem as the CA key and cacert.pem as the private CA certificate:

    # Generate private key for CA
openssl genrsa -out ca-private-key.pem 2048

# Generate the self-signed CA certificate
openssl req -new -x509 -days 3650 -key ca-private-key.pem -out cacert.pem

  3. Use this script to generate a private key and CSR for the marklogic-0 pod. After running the script, tls.key is generated as a private key and a host certificate for the marklogic-0 pod.

    • In Kubernetes, the fully qualified domain name (FQDN) of a pod follows this structure: <pod-name>.<service-name>.<namespace>.svc.cluster.local.

    • For example, if the release name in Helm Chart is marklogic, or the markLogicGroups.name in Operator is marklogic, then the host name for the marklogic-0 pod in default namespace will be marklogic-0.marklogic.default.svc.cluster.local.

    • The host name for the marklogic-1 pod in default namespace will be marklogic-1.marklogic.default.svc.cluster.local.

    Note:

    The filename for the private key must be tls.key and the filename for host certificate must be tls.crt.

    # Create private key
openssl genpkey -algorithm RSA -out tls.key

# Create CSR for marklogic-0
# Use marklogic-0.marklogic.default.svc.cluster.local as Common Name(CN) for CSR
openssl req -new -key tls.key -out tls.csr

# Sign CSR with private CA
openssl x509 -req -CA cacert.pem -CAkey ca-private-key.pem -in tls.csr -out tls.crt -days 365

  4. Use this script to generate secrets for the host certificate and the CA certificate. Repeat these steps to generate the certificate for the marklogic-1 host and create the secret marklogic-1-cert. After running the script, secrets are created for marklogic-0 and marklogic-1. One secret is also created for the private CA certificate.

    # Generate Secret for marklogic-0 host certificate
kubectl create secret generic marklogic-0-cert --from-file=tls.crt --from-file=tls.key

# Generate Secret for private CA certificate
kubectl create secret generic ca-cert --from-file=cacert.pem

  5. Once the certificate is created within Kubernetes secrets, add this section to the values.yaml file for Helm Chart and sample.yaml file for Operator:

    tls:
 enableOnDefaultAppServers: true
 certSecretNames:
   - "marklogic-0-cert"
   - "marklogic-1-cert" 
 caSecretName: "ca-cert"

  6. Follow the instructions in Install the chart.

TitleResults for “How to create a CRG?”Also Available inAlert