From 98b97e16674906db5a1d456cdaa82b4ff03bdab6 Mon Sep 17 00:00:00 2001
From: Daniel Kraus <bovender@bovender.de>
Date: Fri, 15 May 2026 17:40:00 +0200
Subject: [PATCH] Addendum for TLSA post.

---
 .../dane-tlsa-record-for-letsencrypt/index.md | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md b/content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md
index 7d979e4..f449179 100644
--- a/content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md
+++ b/content/posts/2024/dane-tlsa-record-for-letsencrypt/index.md
@@ -211,5 +211,37 @@ Query TLSA records:
   more useful for me than all the websites and blog and forum posts that I had
   previously read.
 
+---
+
+# Addendum 2026-04-22
+
+## How to produce the certificate-associated data for the TLSA record?
+
+The certificate associated data is a SHA-256 or SHA-512 checksum, depending
+on the third number.
+
+```plain
+2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75 # E7
+#     ^^^ this is the certificate-associated data in the TLSA record
+```
+
+```bash
+openssl x509 -in E7.der -pubkey -noout | openssl ec -pubin -outform der | openssl sha256
+```
+
+### Obtain the hash for the certificate itself (DANE-EE)
+
+Given a ECDSA key in `cert.pem`:
+
+```bash
+openssl x509 -in cert.pem -pubkey -noout | openssl ec -pubin -outform der | openssl sha256
+```
+
+Use the resulting hash in
+
+```plain
+3 1 1 HASH
+```
+
 [dane]: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
 [isi]: https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html