[erlang-questions] ssl_pkix:decode_cert_file exceptions with common PEM files

Colm Dougan <>
Fri Jan 16 14:12:07 CET 2009


Hi,

I installed the "ca-certificate" package in Debian which provides
common CA Certificate PEM files (like those that would be preinstalled
on a web-browser).

When I tried using ssl_pkix:decode_cert_file on the CA certificates
installed a lot of the certificates caused an exception which appear
to be due to a few  recurring certificate extensions:

1,2,840,113533,7,65,0    (entrust version extension)
2,16,840,1,113730,1,4    (Netscape CA Revocation URL)
2,16,840,1,113730,1,1    (Netscape Certificate Type)
2,16,840,1,113730,1,8    (Netscape CA policy URL)

I had a quick look at the ASN.1 definitions in the pkix directory of
the OTP distribution and the above definitions are missing. Is there
anyway to add the definitions, or a way to avoid the problem? I am
concerned if I use the new SSL erlang library to connect to a secure
Web site the certificate validation will fail.

Thanks,
Colm



More information about the erlang-questions mailing list