X509 - High-level APIs around certificates, CSRs and key pairs

Erlang/OTP’s :public_key application provides a set of high-level APIs for working with common PKI-related data structures. Under the hood, it supports many more data types, extracted at build time from various standard ASN.1 files. Combining those APIs and the underlying data types to perform common tasks can be a challenge.

The x509 package offers convenient Elixir APIs for:

  • Generating RSA and EC private keys
  • Deriving the public key from a given private key
  • Wrapping and unwrapping keys (e.g. PKCS#8 containers)
  • Creating ‘Relative Distinguished Names’ (e.g. Subject and Issuer names)
  • Creating PKCS#10 CSRs
  • Creating self-signed and issuer-signed RSA and ECDSA certificates with extensions, based on pre-defined or custom templates
  • Exporting and importing entities in PEM and DER format

As a design decision, functions return standard :public_key data types rather than Elixir structs, so the results can be used directly in calls to Erlang/OTP and related libraries.

There is still some work to be done, in documentation and test coverage as well as functional enhancements, but I believe it is in good enough shape for others to start experimenting. Please note that the API may change until it hits 1.0.

Feedback is welcome, both here and as GitHub issues/PRs!


I just published v0.3.0, which paves the way for some API changes ahead of a 1.0 release. This version does not change any existing APIs, but does introduce new functions that adhere to the new API style. In the next release the return value of existing functions will be changed!

Please have a look at the release notes and start using the new API where possible, so as not to be affected by those upcoming changes.

Sorry for the inconvenience, I just want to make sure I have a clean, consistent and future-proof API in place by the time this hits 1.0.


Release v0.4.0 is now available. Please check the release notes for details on breaking changes! Hopefully the API will now be stable until v1.0.

This release includes some fixes for issues that might cause certificate chain verification errors for certificates issued from an intermediate CA, and for ECDSA certificates issued from any CA. Hat tip to @fhunleth and @mobileoverlord for those and other contributions.

Now working on CRL support for 0.5.0.


Earlier today I released v0.5.0. It includes support for CRLs and it introduces tools to help test TLS clients/servers. Release notes are here.

Enjoy, and do let me know what you’d like to see next…