n-connect · October 5, 2022 16:23
diff --git a/tlsagen_bc.sh b/tlsagen_bc.sh
 ## Usage: tlsagen_bc.sh /path/to/fullchain.pem mx.server.name portnumber
 #
 ## Tested with Letsencrypt's fullchain.pem which contains a server, intermediate and root cert in this order
 ## TLSA record for DANE needs at least one cert, the server cert (3 1 1 in the record).
 ## The best if you include a rollout scheme, which needs a 2nd TLSA record of that service (here SMTP) with the root cert (2 1 1 in the record)
 ## Created after https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md#generating-dane-roll-over-records
 ## You can test your records after publishing it in you DNS zone with 'dig +short TLSA _25._tcp.mx.server.name'
 #
 if (( $# != 3 ))
 then
        echo "Usage: $0 /path/to/fullchain.pem mx.server.name portnumber"
        exit
 fi
 #
 ## Split the fullchain.pem file into 3 files starting with 'cert'. The command does split input file until finds a new pattern as below
 ## So mind the input file, LetsEncrypt's chain.pem is wrong to use and only contains 2 certs -> wrong 2 levels
 split -p "-----BEGIN CERTIFICATE-----" $1 cert
 #
 ## 'certaa' this is the server cert data
 openssl x509 -in certaa -noout -subject -issuer
 ## TLSA record for server cert
 printf "_$3._tcp.%s. IN TLSA 3 1 1 %s\n" $2 $(openssl x509 -in certaa -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')
 #
 ## 'certab' not needed this is the Intermediate cert
 #openssl x509 -in certab -noout -subject -issuer
 #printf "_$3._tcp.%s. IN TLSA 2 1 1 %s\n" $2 $(openssl x509 -in certab -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')
 #
 ## 'certac' data & TLSA record for root cert
 openssl x509 -in certac -noout -subject -issuer
 printf "_$3._tcp.%s. IN TLSA 2 1 1 %s\n" $2 $(openssl x509 -in certac -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"')
 #
 ## remove remporary files
 rm certaa certab certac
	## Usage: tlsagen_bc.sh /path/to/fullchain.pem mx.server.name portnumber
	#
	## Tested with Letsencrypt's fullchain.pem which contains a server, intermediate and root cert in this order
	## TLSA record for DANE needs at least one cert, the server cert (3 1 1 in the record).
	## The best if you include a rollout scheme, which needs a 2nd TLSA record of that service (here SMTP) with the root cert (2 1 1 in the record)
	## Created after https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md#generating-dane-roll-over-records
	## You can test your records after publishing it in you DNS zone with 'dig +short TLSA _25._tcp.mx.server.name'
	#
	if (( $# != 3 ))
	then
	echo "Usage: $0 /path/to/fullchain.pem mx.server.name portnumber"
	exit
	fi
	#
	## Split the fullchain.pem file into 3 files starting with 'cert'. The command does split input file until finds a new pattern as below
	## So mind the input file, LetsEncrypt's chain.pem is wrong to use and only contains 2 certs -> wrong 2 levels
	split -p "-----BEGIN CERTIFICATE-----" $1 cert
	#
	## 'certaa' this is the server cert data
	openssl x509 -in certaa -noout -subject -issuer
	## TLSA record for server cert
	printf "_$3._tcp.%s. IN TLSA 3 1 1 %s\n" $2 $(openssl x509 -in certaa -noout -pubkey \| openssl pkey -pubin -outform DER \| openssl dgst -sha256 -binary \| hexdump -ve '/1 "%02x"')
	#
	## 'certab' not needed this is the Intermediate cert
	#openssl x509 -in certab -noout -subject -issuer
	#printf "_$3._tcp.%s. IN TLSA 2 1 1 %s\n" $2 $(openssl x509 -in certab -noout -pubkey \| openssl pkey -pubin -outform DER \| openssl dgst -sha256 -binary \| hexdump -ve '/1 "%02x"')
	#
	## 'certac' data & TLSA record for root cert
	openssl x509 -in certac -noout -subject -issuer
	printf "_$3._tcp.%s. IN TLSA 2 1 1 %s\n" $2 $(openssl x509 -in certac -noout -pubkey \| openssl pkey -pubin -outform DER \| openssl dgst -sha256 -binary \| hexdump -ve '/1 "%02x"')
	#
	## remove remporary files
	rm certaa certab certac
No results found