GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
TLSA(1) FreeBSD General Commands Manual TLSA(1)

tlsagenerate DANE TLSA record

tlsa [-u usage] [-s selector] [-m match] [-t ttl] [-c class] domain certfile

tlsa writes a DANE TLSA record to standard output.

The record is generated with the name domain using the certificate in certfile.

A TLSA record specifies the TLS certificate validation policy for the server running on the port and transport protocol given in the name prefix. The prefix is formed by the prepending the decimal port number and protocol name to the domain name, each as their own label beginning with ‘_’. For example, an HTTPS server running on www.example.com TCP port 443 would use the name _443._tcp.www.example.com.

The usage type of the record, specifying how the TLS certificate should be validated. Possible values are:
Standard PKIX certificate validation, except that the specified certificate must match a certificate authority (CA) in the server's certificate chain.
Standard PKIX certificate validation, except that the specified certificate must match the end-entity (EE) in the server's certificate chain.
The certificate must match a certificate authority (CA) in the server's certificate chain. The CA need not be part of the client's trusted CA set.
The certificate must match the end-entity (EE) in the server's certificate chain. PKIX validation is skipped.

The default is dane-ee.

The selector of the record, specifying which part of the TLS certificate should be matched against. Possible values are:
Match the full Certificate.
Match only the SubjectPublicKeyInfo substructure of the Certificate.

The default is pubkey.

The matching type of the record, specifying how the certificate association data is presented. Possible values are:
The selected part of the certificate is presented in-full as the certificate association data.
The SHA256 hash of the selected part of the certificate is used as the certificate association data.
The SHA512 hash of the selected part of the certificate is used as the certificate association data.

The default is sha256.

The TTL value of the record. If not specified, the TTL is omitted.
The record class. Defaults to IN.

Generate a TLSA record for an HTTPS server running on example.com TCP port 443:

$ tlsa _443._tcp.www.example.com. cert.pem
_443._tcp.www.example.com.	IN	TLSA	3 1 1 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b922

dnskey(1), ds(1), nsec(1), rrsig(1)

May 10, 2021 FreeBSD 14.3-RELEASE
Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.