We provide managed hosting and co-locating services out of Amsterdam.
Services — Projects — Mirrors — Gists — Git / Code — Contact us
Start by creating a hash from your full certificate or your public key. We have opted for the public key as it doesn’t change, thanx Florian!
You can get this hash by running the following command against your certificate:
openssl x509 -noout -pubkey -in /etc/ssl/<cert>.crt | openssl rsa -pubin -outform DER 2>/dev/null | sha256
Once that is done you will get a hash which looks like:
4e39c8646a89bd375e2b7a9abe5d97b4d57b3569e296b7
You need to create a TLSA record in your zonefile, something like:
_443._tcp IN TLSA 3 1 1 4e39c8646a89bd375e2b7a9abe5d97b4d57b3569e296b7
_443._tcp.www IN TLSA 3 1 1 4e39c8646a89bd375e2b7a9abe5d97b4d57b3569e296b7
For SMTP it’s very similar:
_25._tcp.mx1 IN TLSA 3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b93
_25._tcp.mail IN TLSA 3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b93