Steps to Create & Add DANE TLSA Record

It is sounds easy but it is difficult because of lack of proper guides on Internet. Here Are the Steps to Create & Add DANE TLSA Record From TLS/SSL Certificate in Command Line Interface on SSH and Add on Your DNS Record. In previous article we talked about DANE and TLSA Record.

 

Before You Jump to the Steps to Create & Add DANE TLSA Record

 

You should have DNSSEC Record. We have guide on how to add DNSSEC record. For all the stuffs, you will need to have :

1. Your domain registerer must support DNSSEC Record
2. Your DNS service provider must have support to add DNSSEC Record and TLSA record
3. You are running website on a server where you have root access
4. You already using SSL/TLS on your domain

This guide is not written for those are not fulfilling all the stuffs written above. They are basic upgrade or need, possibly more important than adding TLSA Record. Let’s Encrypt providing free SSL certificate to all. There can not be any reason not to use SSL/TLS. Virtual private servers cost from mere $2 / month now. Even some top level domain are free. We have written this guide on steps to create TLSA Record while using DYN DNS, GeoTrust DV SSL.

 

Steps to Create & Add DANE TLSA Record

 

We already discussed about DANE in details explaining the TLSA Record part. What exactly you need is to SSH to you server and change directory to the location where your SSL certificates are located. You have the SSL certificate for the domain, that it what we need, take the name of the certificate as thecustomizewindows.com.crt. We can create TLSA record for smtp
imap, xmpp, web application. We are creating for web application. To generate, we can use a GNU package named danetool or plain openssl replacing /path/to/your/certificate/file :

You will get an output like this :

 

The RDATA portion of the record consists of four fields:

1. Certificate Usage (0, 1, 2, 3)
2. TLSA Selector (0 ,1)
3. TLSA Matching Type (0, 1, 2)
4. Certificate Association Data (The hash data)

For the Certificate Usage field, a value of 1 indicates that we are pinning a certificate signed by a Certificate Authority. For Let’s Encrypt this will be 3 at this moment, for all paid SSL certificate it will be 1.

For the TLSA Selector field, a value of 0 indicates the Certificate Association Data field is based upon the full certificate.

For the TLSA Matching Type field, a value of 1 indicates the Certificate Association Data field contains a hash.

The Certificate Association Data field is your generated hash with command. You need the generated 6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A part for it. Now, login to Dyn (or other DNS service's panel). You will add record like ours.

Write all in this format :

Vim

1 0 1 ( 6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A )

1	1 0 1 ( 6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A )

 

In DNS control panel, create a new record, select 1 hour as time to live (TTL), _443._tcp. as subdomain and your stuff in 1 0 1 ( 6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A )` format. Save and publish the record. Test on :

Tagged With create tlsa records openssl , create dane record online , how to create DANE record , how to add tlsa record in windows server dns , how o generate TLSA record on windows 2016 DNS , DNS provider supports TLSA , WIndows server tlsa record add , create TLSA certificate , create tlsa , create dane record on windows server