erl509

Erlang library for working with X.509 certificates.

Important: This library isn't considered mature yet. Certificates generated by this library should only be used for testing.

Creating a CA certificate

RSAPrivateKey = erl509_private_key:create_rsa(2048).
Certificate = erl509_certificate:create_self_signed(
    RSAPrivateKey, <<"CN=example-ca">>, erl509_certificate_template:root_ca()).

PEM = erl509_certificate:to_pem(Certificate).
ok = file:write_file("example-ca.crt", PEM).

% openssl x509 -in example-ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6584168703948165264 (0x5b5faa8d44131090)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=example-ca
        Validity
            Not Before: Mar 25 21:06:24 2025 GMT
            Not After : Mar 23 21:06:24 2035 GMT
        Subject: CN=example
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                ...
            X509v3 Subject Alternative Name:
                DNS:example-ca
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        ...

Issuing a server certificate

CAKey = erl509_private_key:create_rsa(2048).
CACert = erl509_certificate:create_self_signed(
    CAKey, <<"CN=example-ca">>, erl509_certificate_template:root_ca()).

ServerKey = erl509_private_key:create_rsa(2048).
ServerPub = erl509_public_key:derive_public_key(ServerKey).
ServerCert = erl509_certificate:create(
    ServerPub, <<"CN=server">>, CACert, CAKey, erl509_certificate_template:server()).
ServerPEM = erl509_certificate:to_pem(ServerCert).
ok = file:write_file("server.crt", ServerPEM).

Ideally, we'd eventually reach feature-parity with the voltone/x509 package for Elixir (which is excellent, by the way).

Scripting

You can run rebar3 escriptize to get a simple Erlang escript that can be used from the command line:

rebar3 escriptize

./_build/default/bin/erl509 self-signed \
    --out-cert root.crt --out-key root.key \
    --template root_ca --subject "CN=root"

./_build/default/bin/erl509 create-cert \
    --issuer-cert root.crt --issuer-key root.key \
    --out-cert server.crt --out-key server.key \
    --template server --subject "CN=localhost"

Name		Name	Last commit message	Last commit date
Latest commit History 112 Commits
.github/workflows		.github/workflows
notes		notes
src		src
test		test
.envrc		.envrc
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
rebar.config		rebar.config
rebar.lock		rebar.lock

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

erl509

Creating a CA certificate

Issuing a server certificate

Scripting

About

Uh oh!

Uh oh!

Languages

License

rlipscombe/erl509

Folders and files

Latest commit

History

Repository files navigation

erl509

Creating a CA certificate

Issuing a server certificate

Scripting

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Uh oh!

Languages