Skip to content

Instantly share code, notes, and snippets.

@buffrr

buffrr/x509-dane.md

Last active March 2, 2024 05:39
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save buffrr/609285c952e9cb28f76da168ef8c2ca6 to your computer and use it in GitHub Desktop.
Save buffrr/609285c952e9cb28f76da168ef8c2ca6 to your computer and use it in GitHub Desktop.
Download ZIP
Generate an x509 certificate and a TLSA record with openssl
Raw
x509-dane.md

Creating a self-signed certificate for example.com (if you already have a certificate you can skip this step):

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
  -keyout cert.key -out cert.crt -extensions ext  -config \
  <(echo "[req]"; 
    echo distinguished_name=req; 
    echo "[ext]";
    echo "keyUsage=critical,digitalSignature,keyEncipherment";
    echo "extendedKeyUsage=serverAuth";
    echo "basicConstraints=critical,CA:FALSE";
    echo "subjectAltName=DNS:example.com,DNS:*.example.com";
    ) -subj "/CN=*.example.com"

Generate the TLSA record rdata (you can also use this tool):

echo -n "3 1 1 " && openssl x509 -in cert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | xxd  -p -u -c 32

Add the TLSA record to your zone file

@williamdes
Copy link

Using a remote host

echo -n "3 1 1 " && openssl s_client -connect mx1.mails.example.org:465 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | xxd  -p -u -c 32

@williamdes
Copy link

williamdes commented Aug 1, 2023
edited

And to test it:

# Did not work for me
openssl s_client -brief -starttls smtp -dane_tlsa_domain mx1.mails.example.org -dane_tlsa_rrdata "3 1 1 666792F7857D333D59655A19CA59CD88B7C535CD699DCEAA290B943DEB8E23FD" -connect mx1.mails.example.org:25 <<< "Q"
# Works for me
openssl s_client -brief -dane_tlsa_domain mx1.mails.example.org -dane_tlsa_rrdata "3 1 1 666792F7857D333D59655A19CA59CD88B7C535CD699DCEAA290B943DEB8E23FD" -connect mx1.mails.example.org:465 <<< "Q"

Ref: https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md
Ref: https://www.mailhardener.com/kb/how-to-create-a-dane-tlsa-record-with-openssl

The best is to test on: https://www.checktls.com/TestReceiver

@rithvikvibhu
Copy link

To get the TLSA record of a remote host (updated):

echo -n "3 1 1 " && openssl s_client -connect 157.245.63.29:443 -servername letsdane <<< "Q" 2>/dev/null | openssl x509 -pubkey -noout -in /dev/stdin | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | xxd -p -u -c 32
  • add -in /dev/stdin to remove openssl's new warning that reads Warning: Reading certificate from stdin since no -in or -new option is given
  • add <<< "Q" so the connection is quit automaticlly without a ctrl+C
  • optionally separate out IP with -servername

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment