We provide managed hosting and co-locating services out of Amsterdam.

ServicesProjectsMirrorsGistsGitContact us

Adding TLSA records to your DNS

Start by creating a hash from your full certificate or your public key. We have opted for the public key as it doesn’t change, thanx Florian!

You can get this hash by running the following command against your certificate:

openssl x509 -noout -pubkey -in /etc/ssl/<cert>.crt | openssl rsa -pubin -outform DER 2>/dev/null | sha256

Once that is done you will get a hash which looks like:

4e39c8646a89bd375e2b7a9abe5d97b4d57b3569e296b7

You need to create a TLSA record in your zonefile, something like:

_443._tcp       IN  TLSA    3 1 1 4e39c8646a89bd375e2b7a9abe5d97b4d57b3569e296b7
_443._tcp.www   IN  TLSA    3 1 1 4e39c8646a89bd375e2b7a9abe5d97b4d57b3569e296b7

For SMTP it’s very similar:

_25._tcp.mx1    IN  TLSA    3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b93
_25._tcp.mail   IN  TLSA    3 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b93