Seeking guidance on generating X.509 certificates in pure Erlang for OTP 28

ZT-zt-zt-zt · April 25, 2026, 2:09pm

Hello Erlang/OTP team,

I’m evaluating the X.509 certificate generation capabilities of Erlang/OTP. My goal is to:

Generate a self-signed Root CA certificate.
Use that Root CA to issue a child certificate with Subject Alternative Name (SAN) extensions.

My findings:

Old methods no longer work: The previous approach based on the internal erl_make_certs.erl module worked on OTP 25, but fails on OTP 28 (screenshot attached).
Official API still exists: The documentation for public_key:pkix_sign/2 indicates it can sign an OTPTBSCertificate, which appears to be the core API for certificate signing.
Official documentation recommends external tools: The official “Creating Certificates” guide currently suggests using the openssl command-line tool to generate test certificates, rather than pure Erlang code.

My questions:

In OTP 28, is public_key:pkix_sign/2 still the recommended API for signing OTPTBSCertificate records?
Is there an officially maintained, updated code example (like a pure Erlang replacement for erl_make_certs.erl) that demonstrates the complete certificate generation workflow?
The community-driven x509 library is mentioned in the official documentation. It appears to be a high-level wrapper built on top of the public_key API. Is it considered the current best practice in the ecosystem?

I’d appreciate your guidance. Thank you very much!

rlipscombe · April 27, 2026, 8:09am

If you’re using Elixir, then I’d highly recommend x509. If you’re using pure Erlang, I wrote this: GitHub - rlipscombe/erl509: Erlang library for working with X.509 certificates · GitHub