[erlang-questions] Comodo PositiveSSL certificates with Cowboy 1.x

Frank Muller <>
Fri Dec 30 16:15:19 CET 2016


Just deleted the root certificate from the chain.
Thank you again Ali !!!

/Frank

Le ven. 30 déc. 2016 à 16:08, Ali Sabil <> a écrit :

> Great! But normally you wouldn't need to include the Root in your chain,
> that will just bloat up the TLS handshake for no good reason.
>
> On Fri, Dec 30, 2016 at 4:05 PM Frank Muller <>
> wrote:
>
> Hi again Ali
>
> It worked ;-)
>
> Here’s what ‘I’ve done:
>
> 1. Concatenate them by reversing the lexicographical order:
> $ cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt
> AddTrustExternalCARoot.crt > cacert.pem
>
> 2. cp STAR_company_com.crt cert.pem
>
> 3. cp company.key key.pem
>
> Then, cowboy was happy with these settings:
> [ {cacertfile, "cacert.pem »},
>  {certfile, "cert.pem »},
>  {keyfile, "key.pem"} ]
>
> And now, « curl » isn’t complaining anymore ;-)
>
> Thank you. You made my day.
>
> /Frank
>
> Le ven. 30 déc. 2016 à 15:58, Ali Sabil <> a écrit :
>
> On Fri, Dec 30, 2016 at 3:46 PM Frank Muller <>
> wrote:
>
> Hi Ali,
>
> This what’s included in the Zip:
>
> AddTrustExternalCARoot.crt
> COMODORSAAddTrustCA.crt
> COMODORSADomainValidationSecureServerCA.crt
> STAR_company_com.crt
> company.key
>
> > 1. your certificate (foo_com.crt)
>
> So STAR_company_com.crt is my certificate.
>
>
> Yes, exactly
>
>
>
> > 2. a set of intermediary certificates (intermediate1.crt,
> intermediate2.crt)
>
> How do i know which one is the latest ... to build the intermediary
> certificate chain in this case?
> They're not numbered.
>
>
> For Comodo, `AddTrustExternalCARoor.crt` is the root certificate,
> followed by `COMODORSAAddTrustCA.crt` and then `
> COMODORSADomainValidationSecureServerCA.crt`
>
> so your chain will be:
>   cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt
> > chain.crt
>
>
>
>
> > 3. the root certificate (root.crt)
>
> What this one is useful for?
>
>
> The root certificate (AddTrustExternalCARoor.crt in your case) is useful
> for things like OCSP stapling as far as I know, which I don't think is
> implemented in Erlang SSL.
>
> If I am not mistaken, the Erlang SSL configuration is very similar to
> Apache.
>
>
>
> Thank you.
>
> /Frank
>
> Le ven. 30 déc. 2016 à 13:03, Ali Sabil <> a écrit :
>
> Hi Frank,
>
> I don't remember the exact details, but you should have received a zip
> file with a set of certificates. This zip file should contain
> 1. your certificate (foo_com.crt)
> 2. a set of intermediary certificates (intermediate1.crt,
> intermediate2.crt)
> 3. the root certificate (root.crt)
>
> You will need to concatenate all the intermediaries starting from the last
> one into what's called a intermediary certificate chain:
>     cat intermediate2.crt intermediate1.crt > chain.crt
>
> The configuration of cowboy is then done using the `certfile` and `
> cacertfile` options, for example:
>   [
>     {certfile, "foo_com.crt"},
>     {cacertfile, "chain.crt"}
>   ]
>
> These options are specified in the documentation of the Erlang SSL app (
> http://erlang.org/doc/man/ssl.html)
>
> Hope this helps,
> Ali
>
>
> On Fri, Dec 30, 2016 at 11:24 AM Frank Muller <>
> wrote:
>
> Hi guys,
>
> I would like to configure my "Comodo PositiveSSL" certificates with
> Cowboy.
>
> So far the self-signed OpenSSL certificates I've generated worked as
> expected. But I've no idea how to configure the "Comodo" ones.
>
>
> Can someone point me to a tutorial please? Or help on the setup?
>
>
>
>
> Thanks in advance.
>
> N.B: Comodo provides explanations for Nginx, Apache, etc. But not Cowboy
> unfortunately :-(
>
> Happy new year !!!
> /Frank
>
>
>
> _______________________________________________
>
>
> erlang-questions mailing list
>
>
> 
>
>
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20161230/8ad2fabc/attachment.html>


More information about the erlang-questions mailing list