lolo32/generating_tlsa_dane.sh

## generating_tlsa_dane.sh
#!/bin/sh

# Usage Number 0 – CA specification
#     Specifies the Certificate Authority (CA) who will provide TLS certificates
#     for the domain. We can only say that the domain will use TLS certificates
#     from a specific CA.  Like we are using Geotrust as CA. It only will allow
#     Geotrust. It is difficult to get a SSL/TLS certificate from Geotrust
#     without being WE.
# Usage Number 1 – Specific TLS certificate
#     Specifies the exact TLS certificate that should be used for the domain.
#     Like we are using Geotrust’s specific certificate for this domain. CA can
#     not be from Let’s Encrypt at this moment (Let’s Encrypt recommends using
#     2 or 3). This should be commonest case.
# Usage Number 2 – Trust anchor assertion
#     Specifies the trust anchor to be used for validating the TLS certificates
#     for the domain. It is basically for CA’s own websites.
# Usage Number 3 – Domain-issued certificate
#     Specifies the exact TLS certificate that should be used for the domain,
#     but certificate can be self-signed certificate. It is basically just a
#     security.

# Using full certificate (0 – Cert)
# Using subject public key (1 – SPKI)

# No Hash (0 – Full)
# SHA-256 hash (1 – SHA-256)
# SHA-512 hash (2 – SHA-512)

# Next, your record will be (generally):
#  _443._tcp.www.example.org. 3600 TLSA 1 0 1 6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A
# with:
#  - 443: the port number of the server (HTTPS here)
#  - tcp: the protocol to use
#  - 3600: the TTL of the DNS record
#  - 1 0 1: the record to use. Look at the remarks and the sha used
#  - last come the hash generated

# After configured, leave some times to propagate, and you could check it
# with https://check.sidnlabs.nl/dane/

# For a "x 0 1" record, with x generally 1
openssl x509 -noout -fingerprint -sha256 < /path/to/your/certificate/file |tr -d : |cut -d"=" -f2  |tr '[:upper:]' '[:lower:]'

# For a "x 0 2" record, with x generally 1
openssl x509 -noout -fingerprint -sha512 < /path/to/your/certificate/file |tr -d : |cut -d"=" -f2  |tr '[:upper:]' '[:lower:]'
	#!/bin/sh

	# Usage Number 0 – CA specification
	# Specifies the Certificate Authority (CA) who will provide TLS certificates
	# for the domain. We can only say that the domain will use TLS certificates
	# from a specific CA. Like we are using Geotrust as CA. It only will allow
	# Geotrust. It is difficult to get a SSL/TLS certificate from Geotrust
	# without being WE.
	# Usage Number 1 – Specific TLS certificate
	# Specifies the exact TLS certificate that should be used for the domain.
	# Like we are using Geotrust’s specific certificate for this domain. CA can
	# not be from Let’s Encrypt at this moment (Let’s Encrypt recommends using
	# 2 or 3). This should be commonest case.
	# Usage Number 2 – Trust anchor assertion
	# Specifies the trust anchor to be used for validating the TLS certificates
	# for the domain. It is basically for CA’s own websites.
	# Usage Number 3 – Domain-issued certificate
	# Specifies the exact TLS certificate that should be used for the domain,
	# but certificate can be self-signed certificate. It is basically just a
	# security.

	# Using full certificate (0 – Cert)
	# Using subject public key (1 – SPKI)

	# No Hash (0 – Full)
	# SHA-256 hash (1 – SHA-256)
	# SHA-512 hash (2 – SHA-512)

	# Next, your record will be (generally):
	# _443._tcp.www.example.org. 3600 TLSA 1 0 1 6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A
	# with:
	# - 443: the port number of the server (HTTPS here)
	# - tcp: the protocol to use
	# - 3600: the TTL of the DNS record
	# - 1 0 1: the record to use. Look at the remarks and the sha used
	# - last come the hash generated

	# After configured, leave some times to propagate, and you could check it
	# with https://check.sidnlabs.nl/dane/

	# For a "x 0 1" record, with x generally 1
	openssl x509 -noout -fingerprint -sha256 < /path/to/your/certificate/file \|tr -d : \|cut -d"=" -f2 \|tr '[:upper:]' '[:lower:]'

	# For a "x 0 2" record, with x generally 1
	openssl x509 -noout -fingerprint -sha512 < /path/to/your/certificate/file \|tr -d : \|cut -d"=" -f2 \|tr '[:upper:]' '[:lower:]'