I have a backend where I run a couple of containers as a Docker Compose stack. One of the services is a neo4j server (community edition). I've opened ports 7473 and 7687 in the firewall to our subnet. Our IT organisation has created an "in-house" certificate for this specific server.
These are the TLS-related settings:
- NEO4J_server_bolt_enabled=true
- NEO4J_server_bolt_tls__level=REQUIRED
- NEO4J_server_http_enabled=false
- NEO4J_server_https_enabled=true
- NEO4J_dbms_security_auth__enabled=true
- NEO4J_dbms_ssl_policy_bolt_enabled=true
- NEO4J_dbms_ssl_policy_bolt_client__auth=OPTIONAL
- NEO4J_dbms_ssl_policy_bolt_base__directory=/certs
- NEO4J_dbms_ssl_policy_bolt_private__key=<in-house certificate key here>
- NEO4J_dbms_ssl_policy_bolt_public__certificate=<in-house certificate here>
- NEO4J_dbms_ssl_policy_bolt_verify__hostname=false
- NEO4J_dbms_ssl_policy_bolt_trust__all=false
- NEO4J_dbms_ssl_policy_https_enabled=true
- NEO4J_dbms_ssl_policy_https_client__auth=OPTIONAL
- NEO4J_dbms_ssl_policy_https_base__directory=/certs
- NEO4J_dbms_ssl_policy_https_private__key=<in-house certificate key here>
- NEO4J_dbms_ssl_policy_https_public__certificate=<in-house certificate here>
- NEO4J_dbms_ssl_policy_https_verify__hostname=false
- NEO4J_dbms_ssl_policy_https_trust__all=false
The in-house certificate has been installed as a "personal certificate" on each user's machine. However, when entering https://<servername>:7473/browser a dialog appears where another certificate pops up. I get a feeling that the browser doesn't allow our in-house certificate to be used with the neo4j-browser. It doesn't matter whether i select neo4j+s:// or bolt+s:// in the connect URL - we're always presented by the dialogbox asking for a valid certificate.
Maybe one or more of the settings above are wrong for our environment but I fail to identify them.
I found the following from the official neo4j documentation with regards to the neo4j browser:
URI schemes ending
+sscare not supported by Neo4j Browser since the browser’s OS handles certificate trust. If it is necessary to connect to a Neo4j instance using a self-signed certificate from Neo4j Browser, first visit a web page that uses the self-signed certificate in order to prompt the browser to request that certificate trust be granted. Once that trust has been granted, you can connect with URI schemes ending+s.
When I try the above I'm not able to select our in-house certificate and issuing an openssl s_client -connect <our server fqdn>:7687 confirms that the server is configured with our certificate. Furthermore, inspecting the (browser) debug log I can see that I get a An error occurred: SSL_ERROR_HANDSHAKE_FAILURE_ALERT exception. To me it looks like we're indeed having certificate issues here.
This is leaving me clueless as of what is going on here and would appreciate any help I can get 
UPDATE
I decided to generate a "p12" file (using openssl) and managed to import the certificate into my Edge browser but the browser fails to identify my certificate although I can verify it is imported and used, among other things, for "server authentication".