Re: [dane] Extracting SPKI from a certificate/key
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 21 December 2014 23:07 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FB761A6F2C for <dane@ietfa.amsl.com>; Sun, 21 Dec 2014 15:07:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpX0QWbS5Bnz for <dane@ietfa.amsl.com>; Sun, 21 Dec 2014 15:07:47 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 113CC1A702F for <dane@ietf.org>; Sun, 21 Dec 2014 15:07:47 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D0809284ADB; Sun, 21 Dec 2014 23:07:45 +0000 (UTC)
Date: Sun, 21 Dec 2014 23:07:45 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141221230745.GY24649@mournblade.imrryr.org>
References: <54974FEA.4070401@iki.fi>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="48TaNjbzBVislYPb"
Content-Disposition: inline
In-Reply-To: <54974FEA.4070401@iki.fi>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/3AWi6BTeoohnzkdH3xAGKv3sN_Q
Subject: Re: [dane] Extracting SPKI from a certificate/key
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Dec 2014 23:07:49 -0000
On Mon, Dec 22, 2014 at 12:55:38AM +0200, Tapio Sokura wrote: > Can someone verify these > produce the correct results for use with tlsa dane-ee spki sha-256 > records? Naturally these exact syntaxes only work for RSA keys. > > from private key: > > openssl rsa -in private.key -outform der -pubout | > sha256sum > > from x509 certificate: > > openssl x509 -in x509.crt -pubkey -noout | > openssl rsa -pubin -outform der | > sha256sum Basically correct. In notices I send to sites whose TLSA records are not right, I include the text below: ----- Snip ----- To generate a TLSA "3 1 1" record from a certificate file in PEM format (using OpenSSL 1.0.0 or later): printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' \ $(uname -n) \ $(openssl x509 -in cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"') you can use the attached tlsagen script if you prefer, $ ./tlsagen cert.pem $(uname -n) 3 1 1 or use the website: https://www.huque.com/bin/gen_tlsa ----- Snip ----- The above is not RSA-specific and works equally well for ECDSA keys. However, it requires OpenSSL 1.0.0 or later. One really should not be using OpenSSL 0.9.8 or earlier at this point, and even 1.0.0 is reaching end-of-life. -- Viktor.
- [dane] Extracting SPKI from a certificate/key Tapio Sokura
- Re: [dane] Extracting SPKI from a certificate/key Viktor Dukhovni