Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
TLSA(1)			    General Commands Manual		       TLSA(1)

NAME
       tlsa -- generate	DANE TLSA record

SYNOPSIS
       tlsa  [-u  usage]  [-s  selector] [-m match] [-t	ttl] [-c class]	domain
	    certfile

DESCRIPTION
       tlsa writes a DANE TLSA record to standard output.

       The record is generated with the	name domain using the  certificate  in
       certfile.

       A  TLSA	record specifies the TLS certificate validation	policy for the
       server running on the port and transport	protocol  given	 in  the  name
       prefix.	The prefix is formed by	the prepending the decimal port	number
       and protocol name to the	domain name, each as their own label beginning
       with  `_'.  For example,	an HTTPS server	running	on www.example.com TCP
       port 443	would use the name _443._tcp.www.example.com.

OPTIONS
       -u      The usage type of the record, specifying	how the	 TLS  certifi-
	       cate should be validated.  Possible values are:

	       pkix-ta (0)  Standard  PKIX certificate validation, except that
			    the	specified certificate must match a certificate
			    authority (CA) in the server's certificate chain.

	       pkix-ee (1)  Standard PKIX certificate validation, except  that
			    the	 specified  certificate	must match the end-en-
			    tity (EE) in the server's certificate chain.

	       dane-ta (2)  The	certificate must match a certificate authority
			    (CA) in the	server's certificate  chain.   The  CA
			    need not be	part of	the client's trusted CA	set.

	       dane-ee (3)  The	 certificate must match	the end-entity (EE) in
			    the	server's certificate chain.   PKIX  validation
			    is skipped.

	       The default is dane-ee.

       -s      The  selector  of  the record, specifying which part of the TLS
	       certificate should be matched against.  Possible	values are:

	       cert (0)	   Match the full Certificate.

	       pubkey (1)  Match only the SubjectPublicKeyInfo substructure of
			   the Certificate.

	       The default is pubkey.

       -m      The matching type of the	record,	specifying how the certificate
	       association data	is presented.  Possible	values are:

	       exact (0)   The selected	part of	the certificate	 is  presented
			   in-full as the certificate association data.

	       sha256 (1)  The	SHA256	hash  of the selected part of the cer-
			   tificate is used  as	 the  certificate  association
			   data.

	       sha512 (2)  The	SHA512	hash  of the selected part of the cer-
			   tificate is used  as	 the  certificate  association
			   data.

	       The default is sha256.

       -t      The  TTL	 value	of  the	 record.  If not specified, the	TTL is
	       omitted.

       -c      The record class.  Defaults to IN.

EXAMPLES
       Generate	a TLSA record for an HTTPS server running on  example.com  TCP
       port 443:

	     $ tlsa _443._tcp.www.example.com. cert.pem
	     _443._tcp.www.example.com.	     IN	     TLSA    3 1 1 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b922

SEE ALSO
       dnskey(1), ds(1), nsec(1), rrsig(1)

FreeBSD	ports 15.0		 May 10, 2021			       TLSA(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=tlsa&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help