danetool command examples

danetool command examples

danetool – GnuTLS DANE tool

DANE TLSA RR generation

To create a DANE TLSA resource record for a certificate (or public key) that was issued localy and may or may not be signed by a CA use the following command.

$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem

To create a DANE TLSA resource record for a CA signed certificate, which will be marked as such use the following command.

$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem --no-domain

The former is useful to add in your DNS entry even if your certificate is signed by a CA. That way even users who do not trust your CA will be able to verify your certificate using DANE.

In order to create a record for the CA signer of your certificate use the following.

$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem --ca --no-domain

To read a server’s DANE TLSA entry, use:

$ danetool --check www.example.com --proto tcp --port 443

To verify a server’s DANE TLSA entry, use:

$ danetool --check www.example.com --proto tcp --port 443 --load-certificate chain.pem

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Us | Privacy Policy