[erlang-questions] Comodo PositiveSSL certificates with Cowboy 1.x

Ali Sabil <>
Fri Dec 30 16:08:28 CET 2016


Great! But normally you wouldn't need to include the Root in your chain,
that will just bloat up the TLS handshake for no good reason.

On Fri, Dec 30, 2016 at 4:05 PM Frank Muller <>
wrote:

> Hi again Ali
>
> It worked ;-)
>
> Here’s what ‘I’ve done:
>
> 1. Concatenate them by reversing the lexicographical order:
> $ cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt
> AddTrustExternalCARoot.crt > cacert.pem
>
> 2. cp STAR_company_com.crt cert.pem
>
> 3. cp company.key key.pem
>
> Then, cowboy was happy with these settings:
> [ {cacertfile, "cacert.pem »},
>  {certfile, "cert.pem »},
>  {keyfile, "key.pem"} ]
>
> And now, « curl » isn’t complaining anymore ;-)
>
> Thank you. You made my day.
>
> /Frank
>
> Le ven. 30 déc. 2016 à 15:58, Ali Sabil <> a écrit :
>
> On Fri, Dec 30, 2016 at 3:46 PM Frank Muller <>
> wrote:
>
> Hi Ali,
>
> This what’s included in the Zip:
>
> AddTrustExternalCARoot.crt
> COMODORSAAddTrustCA.crt
> COMODORSADomainValidationSecureServerCA.crt
> STAR_company_com.crt
> company.key
>
> > 1. your certificate (foo_com.crt)
>
> So STAR_company_com.crt is my certificate.
>
>
> Yes, exactly
>
>
>
> > 2. a set of intermediary certificates (intermediate1.crt,
> intermediate2.crt)
>
> How do i know which one is the latest ... to build the intermediary
> certificate chain in this case?
> They're not numbered.
>
>
> For Comodo, `AddTrustExternalCARoor.crt` is the root certificate,
> followed by `COMODORSAAddTrustCA.crt` and then `
> COMODORSADomainValidationSecureServerCA.crt`
>
> so your chain will be:
>   cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt
> > chain.crt
>
>
>
>
> > 3. the root certificate (root.crt)
>
> What this one is useful for?
>
>
> The root certificate (AddTrustExternalCARoor.crt in your case) is useful
> for things like OCSP stapling as far as I know, which I don't think is
> implemented in Erlang SSL.
>
> If I am not mistaken, the Erlang SSL configuration is very similar to
> Apache.
>
>
>
> Thank you.
>
> /Frank
>
> Le ven. 30 déc. 2016 à 13:03, Ali Sabil <> a écrit :
>
> Hi Frank,
>
> I don't remember the exact details, but you should have received a zip
> file with a set of certificates. This zip file should contain
> 1. your certificate (foo_com.crt)
> 2. a set of intermediary certificates (intermediate1.crt,
> intermediate2.crt)
> 3. the root certificate (root.crt)
>
> You will need to concatenate all the intermediaries starting from the last
> one into what's called a intermediary certificate chain:
>     cat intermediate2.crt intermediate1.crt > chain.crt
>
> The configuration of cowboy is then done using the `certfile` and `
> cacertfile` options, for example:
>   [
>     {certfile, "foo_com.crt"},
>     {cacertfile, "chain.crt"}
>   ]
>
> These options are specified in the documentation of the Erlang SSL app (
> http://erlang.org/doc/man/ssl.html)
>
> Hope this helps,
> Ali
>
>
> On Fri, Dec 30, 2016 at 11:24 AM Frank Muller <>
> wrote:
>
> Hi guys,
>
> I would like to configure my "Comodo PositiveSSL" certificates with
> Cowboy.
>
> So far the self-signed OpenSSL certificates I've generated worked as
> expected. But I've no idea how to configure the "Comodo" ones.
>
>
> Can someone point me to a tutorial please? Or help on the setup?
>
>
>
>
> Thanks in advance.
>
> N.B: Comodo provides explanations for Nginx, Apache, etc. But not Cowboy
> unfortunately :-(
>
> Happy new year !!!
> /Frank
>
>
>
> _______________________________________________
>
>
> erlang-questions mailing list
>
>
> 
>
>
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20161230/13aab3e0/attachment.html>


More information about the erlang-questions mailing list