DANE TLSA and reuse-key

Hi everybody !

First thanks to Let's Encrypt to exist, great job.

I need some help. I create a DANE TLSA record in my DNS, based on Let's Encrypt certificat. All is ok but (there is always a "but", sorry), i need to change my record at every renewal.
I use --reuse-key and in the configuration file reuse-key=True but it's not enough.

After each renew, the command :
$ openssl x509 -in /etc/letsencrypt/live/mail.domain.com/fullchain.pem -outform DER | openssl sha256
don't show the same result.
What can i do for not being annoyed at each renewal ?


1 Like

That's to be expected. You're generating the SHA256 hash over the entire certificate. While the key pair might be reused, the entire certificate is of course updated. And thus the SHA256 hash gets updated too.

You probably want to check the -noout -modulus options for x509 to check just the public key of the certificate. And check cert.pem and not fullchain.pem, although x509 only uses the first cert I guess from fullchain.pem.


To add to @Osiris answer:

If you want the DANE fingerprint to be the same on each renewal, you need:

  • To reuse your keypair
  • To use the certificate's public key as a selector in your DANE TLSA record as per RFC 7671 section 5.1. Typically you would use something like "311 " (which means DANE-EE, selector SPKI, SHA-256).

To generate the SPKI (SubjectPublicKeyInfo) hash of a certificate (which is just the hash over the certificate's public key), the following OpenSSL commands will do, assuming you're using RSA certificates (the below will not work for EC):

openssl x509 -in cert.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256

If you're using ECDSA certificate, you will need something different, but the overall idea is the same: Get the public key from the certificate's Subject Public Key Info field in DER form and hash that using the appropriate digest.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.