Addendum for TLSA post.
This commit is contained in:
@@ -211,5 +211,37 @@ Query TLSA records:
|
|||||||
more useful for me than all the websites and blog and forum posts that I had
|
more useful for me than all the websites and blog and forum posts that I had
|
||||||
previously read.
|
previously read.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Addendum 2026-04-22
|
||||||
|
|
||||||
|
## How to produce the certificate-associated data for the TLSA record?
|
||||||
|
|
||||||
|
The certificate associated data is a SHA-256 or SHA-512 checksum, depending
|
||||||
|
on the third number.
|
||||||
|
|
||||||
|
```plain
|
||||||
|
2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75 # E7
|
||||||
|
# ^^^ this is the certificate-associated data in the TLSA record
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
openssl x509 -in E7.der -pubkey -noout | openssl ec -pubin -outform der | openssl sha256
|
||||||
|
```
|
||||||
|
|
||||||
|
### Obtain the hash for the certificate itself (DANE-EE)
|
||||||
|
|
||||||
|
Given a ECDSA key in `cert.pem`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
openssl x509 -in cert.pem -pubkey -noout | openssl ec -pubin -outform der | openssl sha256
|
||||||
|
```
|
||||||
|
|
||||||
|
Use the resulting hash in
|
||||||
|
|
||||||
|
```plain
|
||||||
|
3 1 1 HASH
|
||||||
|
```
|
||||||
|
|
||||||
[dane]: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
|
[dane]: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
|
||||||
[isi]: https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
|
[isi]: https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
|
||||||
|
|||||||
Reference in New Issue
Block a user