Generating TLSA Records With OpenSSL

by Tykling

07. jun 2017 05:54 UTC

I am in the process of implementing Certgrinder on all my servers, and as a part of that I am publishing TLSA records for all my services. I haven't been able to do so before, because the normal LetsEncrypt procedure means rolling cert and keys every three months. With Certgrinder I am not rolling the keys when renewing, so I can pin the public keys instead of the certificates in the TLSA records.

Most examples of using OpenSSL to generate TLSA records are pinning the full certificate and not just the public key, so I am leaving the OpenSSL commands I used here, for future reference.

The .crt file used in the example is the certificate in PEM format.

To be clear, these commands generate the 3 1 X type TLSA records, with the selector field set to 1 for public key instead of 0 for the full certificate.


Generate DANE-EE Publickey Full (3 1 0) TLSA Record

openssl x509 -noout -pubkey -in certificates/ircd.tyknet.dk.crt | openssl rsa -pubin -outform DER | hexdump -ve '/1 "%02x"'

Note: The args to hexdump are to fix the endianness. On platforms without hexdump(1) you might find xdd or od useful.


Generate DANE-EE Publickey SHA256 (3 1 1) TLSA Record

openssl x509 -noout -pubkey -in certificates/ircd.tyknet.dk.crt | openssl rsa -pubin -outform DER 2>/dev/null | sha256 | tr "a-z" "A-Z"

Generate DANE-EE Publickey SHA512 (3 1 2) TLSA Record

openssl x509 -noout -pubkey -in certificates/ircd.tyknet.dk.crt | openssl rsa -pubin -outform DER 2>/dev/null | sha512 | tr "a-z" "A-Z"

Putting It Into the DNS

The resulting hex values can be used directly in the TLSA record. In this case the certificate is for an IRC server with the hostname ircd.tyknet.dk. IRC over TLS uses port 6697 so the TLSA records for this service look like this:

dig _6697._tcp.ircd.tyknet.dk tlsa +short                                                                                                                                                                                                                                                            
3 1 1 764129429D318DA37504F04DCDDBC0CCA556EC73423DB0DA0DD23073 59DAAAE0
3 1 2 DD1EA6781719BF6FF6896394BA59712286C4AE56666E09846FB68221 E92E62FD0EFF9EA4EA31E2D6ACC886EAF2C71BDBB8AD998FB906ACBD B1D1F6172CD94010
3 1 0 30820222300D06092A864886F70D01010105000382020F003082020A 0282020100DF7E3C1167A59BDFB175C46CB159A1801303AEA7454456 37397C2C11B5F0C52802AC6CC3B63C2176718155118DD6097EA24A81 2CD598C58AAF9308FF4C6DDBFE90083DA8614861DABDDB417760D0DB 69F290436F7363BE4A38F70D689414EA2E06ED4751F2398DA69786B0 E1C1BA8700430D6CC4D25E8B23733207B79A969EE64370060608BFC1 BBDDC550A78A0AC9EBCB51B0CE7A2273F95EBAFC205295ED4574763B 9D82FD1A9C188E8646AE55C066206C17EB5DD2DA590ED32E810F6214 33040B46D38E0F38DE7BED8DAB88884E45C7D65E9709D93BDF29ECD0 51F6E1785059D51713C8A3073D011612526E097CF2B024A08961F9BA 5DF38218F26608571509874B87382A23E2D98A1463E98A604704F512 CA1D879FD25EA1421C37695739A0E7E91608B55CEDAE4A4C4EA25F24 DD13A77A3C84940F0B70F94A6DB95764C9BB97F3367A338D9891A71A C5414E6CA08F2F305C67D72981C5F4DBE1EB40AD217D0C73549A2ABF 6F7D8F1D707141215C7D378518517744FFA38F6CEFA119FC2C8F8DC0 6E5D6DEE50D6281708CBD707937BFB7553E8B1C0DA94F3F96D165702 8380E674C6DD567582A9ECC9C826A628139A667C4D71CDC2A3E2A77E 89F9BA5891464E4F63CF2E4B3523C31DB940F0ECB2F54F4E0F8EDEB8 A15235980FCCA0FAC825476DDA25A41541B118324299F36B06C1BEB0 38D920F56EAE0A8CAC2D453D9B0203010001

Happy TLSAing!

Search this blog

Tags for this blogpost

pki letsencrypt x509 tlsa openssl