It is sounds easy but it is difficult because of lack of proper guides on Internet. Here Are the Steps to Create & Add DANE TLSA Record From TLS/SSL Certificate in Command Line Interface on SSH and Add on Your DNS Record. In previous article we talked about DANE and TLSA Record.
Before You Jump to the Steps to Create & Add DANE TLSA Record
You should have DNSSEC Record. We have guide on how to add DNSSEC record. For all the stuffs, you will need to have :
- Your domain registerer must support DNSSEC Record
- Your DNS service provider must have support to add DNSSEC Record and TLSA record
- You are running website on a server where you have root access
- You already using SSL/TLS on your domain
This guide is not written for those are not fulfilling all the stuffs written above. They are basic upgrade or need, possibly more important than adding TLSA Record. Let’s Encrypt providing free SSL certificate to all. There can not be any reason not to use SSL/TLS. Virtual private servers cost from mere $2 / month now. Even some top level domain are free. We have written this guide on steps to create TLSA Record while using DYN DNS, GeoTrust DV SSL.
Steps to Create & Add DANE TLSA Record
We already discussed about DANE in details explaining the TLSA Record part. What exactly you need is to SSH to you server and change directory to the location where your SSL certificates are located. You have the SSL certificate for the domain, that it what we need, take the name of the certificate as
thecustomizewindows.com.crt. We can create TLSA record for smtp
imap, xmpp, web application. We are creating for web application. To generate, we can use a GNU package named
danetool or plain openssl replacing
openssl x509 -noout -fingerprint -sha256 < /path/to/your/certificate/file |tr -d : |cut -d"=" -f2
You will get an output like this :
The RDATA portion of the record consists of four fields:
- Certificate Usage (0, 1, 2, 3)
- TLSA Selector (0 ,1)
- TLSA Matching Type (0, 1, 2)
- Certificate Association Data (The hash data)
Certificate Usage field, a value of 1 indicates that we are pinning a certificate signed by a Certificate Authority. For Let’s Encrypt this will be 3 at this moment, for all paid SSL certificate it will be 1.
TLSA Selector field, a value of
0 indicates the
Certificate Association Data field is based upon the full certificate.
TLSA Matching Type field, a value of 1 indicates the
Certificate Association Data field contains a hash.
Certificate Association Data field is your generated hash with command. You need the generated
6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A part for it. Now, login to Dyn (or other DNS service's panel). You will add record like ours.
Write all in this format :
1 0 1 ( 6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A )
In DNS control panel, create a new record, select 1 hour as time to live (TTL), _443._tcp.
as subdomain and your stuff in 1 0 1 ( 6F09D78BD9C070D4F461978C3A34EF3FDA56515BBAE0A87A0A4787D786181B6A )` format. Save and publish the record. Test on :