TLSA is a new kid in the DNS protocol. Ok, not exactly new, but change comes slowly even on the Internet. TLSA is a DNS record type, which allows a domain owner to specify which certificate is valid for a particular service.

If you read that hastily, read it again, because it’s pretty different from how we currently do things. I’m referring to the old model that wants you to buy a signed certificate for e.g. your website, mail server et cetera.

The commercial incentive for this is not an argument that makes up for the lack of technical alternative approaches. Simply said: everyone has the ability to generate certificates. It’s just that companies like Apple, Mozilla and Google collect a bunch of these, and then decide both for you, and for the owner of the domain you visit, which third parties are allowed to vouch for a verified and encrypted connection.

TLSA, which is part of the DANE specification, is a free (as in beer and libre) alternative. It removes the authority from centralised sources, to you, the owner of a domain. You simply add an SSL certificate’s cryptographic hash, together with a few other options, into the DNS, and the client (browser, etc.) will seek no further to verify the authenticity of its connection.

Although this is not supported by browsers yet, my instincts tell me that will probably change, one day soon. If you already knew about this and just want to find out about how to generate a hash, you’re almost there.

I found a generator for TLSA records, but it took me a while to figure out how to generate the hash of a certificate’s public key. That’s the second number set to 1 in the DNS record.

If you understand how DNS works, yet have no idea what I mean, go read How to create DNSsec DANE TLSA entries by Marcel Waldvogel who explains it quite nicely.

With the following command:

openssl x509 -in -noout -pubkey | grep -ve '^--' | base64 -d | sha256sum

You get a hash of the SPKI.

If you would rather get the hash of the full certificate, the following command will help you find it:

openssl x509 -in -outform DER | sha256sum

Hungry for more about TLSA? DNSSEC and Certificates by Shumon Huque is another article that helped me make sense of it.

You can also use sha512 hashes if you are so inclined, like I was. 🙂