Addendum for TLSA post.
This commit is contained in:
@@ -211,5 +211,37 @@ Query TLSA records:
|
||||
more useful for me than all the websites and blog and forum posts that I had
|
||||
previously read.
|
||||
|
||||
---
|
||||
|
||||
# Addendum 2026-04-22
|
||||
|
||||
## How to produce the certificate-associated data for the TLSA record?
|
||||
|
||||
The certificate associated data is a SHA-256 or SHA-512 checksum, depending
|
||||
on the third number.
|
||||
|
||||
```plain
|
||||
2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75 # E7
|
||||
# ^^^ this is the certificate-associated data in the TLSA record
|
||||
```
|
||||
|
||||
```bash
|
||||
openssl x509 -in E7.der -pubkey -noout | openssl ec -pubin -outform der | openssl sha256
|
||||
```
|
||||
|
||||
### Obtain the hash for the certificate itself (DANE-EE)
|
||||
|
||||
Given a ECDSA key in `cert.pem`:
|
||||
|
||||
```bash
|
||||
openssl x509 -in cert.pem -pubkey -noout | openssl ec -pubin -outform der | openssl sha256
|
||||
```
|
||||
|
||||
Use the resulting hash in
|
||||
|
||||
```plain
|
||||
3 1 1 HASH
|
||||
```
|
||||
|
||||
[dane]: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
|
||||
[isi]: https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
|
||||
|
||||
Reference in New Issue
Block a user