The idea of the library is to simplify certificates configuration in Erlang programs.
Typically an Erlang program which needs certificates (for HTTPS/MQTT/XMPP/etc)
provides a bunch of options such as certfile, chainfile, privkey, etc.
The situation becomes even more complicated when a server supports so called virtual domains
because a program is typically required to match a virtual domain with its certificate.
If a user has plenty of virtual domains (stored somewhere in /etc/letsencrypt/live/*/*.pem)
it's quickly becoming a nightmare for them to configure all this. The complexity also leads to
errors: a single configuration mistake and a program generates obscure log messages,
unreadable Erlang tracebacks or, even worse, just silently ignores the errors. Fortunately,
the large part of certificates configuration can be automated, reducing a user configuration
to something as simple as:
certfiles:
- /etc/letsencrypt/live/*/*.pemThe purpose of the library is to do this dirty job under the hood.
To compile the library you need:
- Erlang/OTP ≥ 19.0
- GNU Make. Optional: for running tests or standalone compilation.
Since this is an embedded library, you need to add https://github.com/processone/pkix.git repo to your rebar configuration or what have you.
Start the library as a regular Erlang application:
> application:ensure_all_started(pkix).or use pkix:start() which does the same.
Let's say you have two certificates: cert1.pem for domain1 and cert2.pem
for domain2 with their private keys key1.pem and key2.pem and
an intermediate CA certificate ca-intermediate.pem. Then the flow is the following:
- Add all your PEM files to the "staged" area (the order doesn't matter):
> pkix:add_file("cert1.pem").
> pkix:add_file("cert2.pem").
> pkix:add_file("key1.pem").
> pkix:add_file("key2.pem").
> pkix:add_file("ca-intermediate.pem").- Commit the changes to some directory, let's say,
"/tmp/certs":
> pkix:commit("/tmp/certs").Now you're able to fetch a certificate file containing full chain and the
private key for domain domain1 or domain2:
> pkix:get_certfile(<<"domain1">>).
{<<"/tmp/certs/7f9faada4a006091531cd37dafb70ca009630ac3">>,undefined,undefined}
> pkix:get_certfile(<<"domain2">>).
{undefined,<<"/tmp/certs/018e601430ed447e4bb767b2d610c6258c7a4e43">>,undefined}The first element of the tuple is an EC certificate (presented in cert1.pem),
the second element is an RSA certificate (presented in cert2.pem) and the third element
is a DSA certificate (missing in our example).
TODO. Sorry, read the source so far.