Skip to content

Instantly share code, notes, and snippets.

@gwire

gwire/letsencrypt_tlsa.md

Last active October 19, 2025 08:16
Show Gist options
  • Save gwire/c7f65677f88cec0099ba74556e6119aa to your computer and use it in GitHub Desktop.
Save gwire/c7f65677f88cec0099ba74556e6119aa to your computer and use it in GitHub Desktop.
Download ZIP
Generating TLSA records from Lets Encrypt intermediate certs
Raw
letsencrypt_tlsa.md
  • Download intermediate certs as .pem from Lets Encrypt
  • Add records based on:
    • type (R is RSA, E is ECDSA)
    • just the current keys, backup key, and future keys
  • Use a "2 1 1" record:
    • 2 is Trust Anchor (TA)
    • 1 is the public key (0 is the full cert)
    • 1 is SHA-256 (2 is SHA-512)
for i in *.pem;
do
 echo ""; echo "# $i";
 openssl x509 -in $i -pubkey -noout \
 | openssl pkey -pubin -outform der \
 | openssl dgst -sha256 -hex \
 | awk '{print "_443._tcp.www IN TLSA 2 1 1", $NF}';
done 
# e5.pem
_443._tcp.www IN TLSA 2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8

# e6.pem
_443._tcp.www IN TLSA 2 1 1 d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7

# e7.pem
_443._tcp.www IN TLSA 2 1 1 cbbc559b44d524d6a132bdac672744da3407f12aae5d5f722c5f6c7913871c75

# e8.pem
_443._tcp.www IN TLSA 2 1 1 885bf0572252c6741dc9a52f5044487fef2a93b811cdedfad7624cc283b7cdd5

# e9.pem
_443._tcp.www IN TLSA 2 1 1 f1440a9b76e1e41e53a4cb461329bf6337b419726be513e42e19f1c691c5d4b2

# int-ye1.pem
_443._tcp.www IN TLSA 2 1 1 6ebcefb4210b088654a38b03fea3d7d1c711b4fb1ddc363a45f9b1a4e53da01e

# int-ye2.pem
_443._tcp.www IN TLSA 2 1 1 b3fb5d00e994cddf2cc9a4eea9f806bc5727e83cc0e4299bf956f2d524fe5376

# int-ye3.pem
_443._tcp.www IN TLSA 2 1 1 a698a20824be04e47a1a33c4fa488731be92011f23a31e900e2ca26c9c2acfce

# int-yr1.pem
_443._tcp.www IN TLSA 2 1 1 2e8307068b6db620e4a39d068b5dee5d6ef5788cbb2c0b6d23ead84fcc17178c

# int-yr2.pem
_443._tcp.www IN TLSA 2 1 1 9d637b3d27a9e570d07607b9ccadb80a70915c7af72afce12841b1b1da825fd1

# int-yr3.pem
_443._tcp.www IN TLSA 2 1 1 51aaa87d984b559ac69e929f888a022d832e089ff4dba0a412b5101bca4bc799

# lets-encrypt-e1.pem
_443._tcp.www IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10

# lets-encrypt-e2.pem
_443._tcp.www IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270

# lets-encrypt-r3.pem
_443._tcp.www IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d

# lets-encrypt-r4.pem
_443._tcp.www IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03

# r10.pem
_443._tcp.www IN TLSA 2 1 1 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba

# r11.pem
_443._tcp.www IN TLSA 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7

# r12.pem
_443._tcp.www IN TLSA 2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4

# r13.pem
_443._tcp.www IN TLSA 2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d

# r14.pem
_443._tcp.www IN TLSA 2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment