Skip to content

Instantly share code, notes, and snippets.

@buffrr

buffrr/x509-dane.md

Last active May 15, 2023 22:46
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Generate an x509 certificate and a TLSA record with openssl
Raw
x509-dane.md

Creating a self-signed certificate for example.com (if you already have a certificate you can skip this step):

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
  -keyout cert.key -out cert.crt -extensions ext  -config \
  <(echo "[req]"; 
    echo distinguished_name=req; 
    echo "[ext]";
    echo "keyUsage=critical,digitalSignature,keyEncipherment";
    echo "extendedKeyUsage=serverAuth";
    echo "basicConstraints=critical,CA:FALSE";
    echo "subjectAltName=DNS:example.com,DNS:*.example.com";
    ) -subj "/CN=*.example.com"

Generate the TLSA record rdata (you can also use this tool):

echo -n "3 1 1 " && openssl x509 -in cert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | xxd  -p -u -c 32

Add the TLSA record to your zone file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment