We are using Cowboy with a HTTPS listener and would like to do mTLS. We have a similar setup using nginx in another application and specify a certificate file (ssl_client_certificate) which allows us to verify client certificates. We also specify another certificate file (ssl_certificate) to allow clients to verify the server.
Is it possible in Cowboy to specify these two certificates? We can have one for the clients to verify the server but not too sure on how we can verify client certificates. I only see one “certfile” property in the configuration.
We would like to be able to verify client certificates while allowing the server to present a different certificate to clients for them to trust the server.
There might be documentation for how we can do this but I have not seen anything specifically for this setup or comparable to nginx. Any help with how we can achieve this is appreciated.
You should take a look at Erlang -- ssl
When you specify cacertfile / cacerts on the server-side, these are normally used to verify the client certificate.
Keep in mind that the cacerts and cacertfile options serve two roles when doing mTLS: they are used to specify the trust store used when verifying the other party’s certificate, and also to look up any intermediates that may need to be included in the ‘chain’ that is sent for the local party’s certificate.
So on a server, the CA certs would have to include the server certificate’s intermediates and the trusted CA that issued the client certs. And on the client, CA certs should include the usual CA trust store (or the specific one that issued the server’s cert, if you want to pin it that way) and any intermediates that should be sent with the client certificate.
In recent OTP versions you can, as an alternative approach, set certs to a list containing the local endpoint’s certificate and intermediates, and in that case cacerts would only have to contain the trust store.
I assume it will be the certificates I am using and need to add others into the list. I was wondering if there was anything else due to it being self signed but it seems unlikely.