Last active
May 16, 2017 09:46
-
-
Save lolo32/ec497a566376af8915f507bc16c1de8c to your computer and use it in GitHub Desktop.
Creating TLSA/DANE DNS record
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Usage Number 0 – CA specification | |
# Specifies the Certificate Authority (CA) who will provide TLS certificates | |
# for the domain. We can only say that the domain will use TLS certificates | |
# from a specific CA. Like we are using Geotrust as CA. It only will allow | |
# Geotrust. It is difficult to get a SSL/TLS certificate from Geotrust | |
# without being WE. | |
# Usage Number 1 – Specific TLS certificate | |
# Specifies the exact TLS certificate that should be used for the domain. | |
# Like we are using Geotrust’s specific certificate for this domain. CA can | |
# not be from Let’s Encrypt at this moment (Let’s Encrypt recommends using | |
# 2 or 3). This should be commonest case. | |
# Usage Number 2 – Trust anchor assertion | |
# Specifies the trust anchor to be used for validating the TLS certificates | |
# for the domain. It is basically for CA’s own websites. | |
# Usage Number 3 – Domain-issued certificate | |
# Specifies the exact TLS certificate that should be used for the domain, | |
# but certificate can be self-signed certificate. It is basically just a | |
# security. | |
# Using full certificate (0 – Cert) | |
# Using subject public key (1 – SPKI) | |
# No Hash (0 – Full) | |
# SHA-256 hash (1 – SHA-256) | |
# SHA-512 hash (2 – SHA-512) | |
# Next, your record will be (generally): | |
# _443._tcp.www.example.org. 3600 TLSA 1 0 1 6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A | |
# with: | |
# - 443: the port number of the server (HTTPS here) | |
# - tcp: the protocol to use | |
# - 3600: the TTL of the DNS record | |
# - 1 0 1: the record to use. Look at the remarks and the sha used | |
# - last come the hash generated | |
# After configured, leave some times to propagate, and you could check it | |
# with https://check.sidnlabs.nl/dane/ | |
# For a "x 0 1" record, with x generally 1 | |
openssl x509 -noout -fingerprint -sha256 < /path/to/your/certificate/file |tr -d : |cut -d"=" -f2 |tr '[:upper:]' '[:lower:]' | |
# For a "x 0 2" record, with x generally 1 | |
openssl x509 -noout -fingerprint -sha512 < /path/to/your/certificate/file |tr -d : |cut -d"=" -f2 |tr '[:upper:]' '[:lower:]' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment