Wildcard certificate and DANE/TLSA records

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Dec 31 20:21:50 CET 2018

> On Dec 31, 2018, at 2:01 PM, zorion <zorion at autistici.org> wrote:
> Ok, I had a hard time finding out what exactly the *trust-anchor* was
> supposed to be. I took a guess that it was the combined cert chain, but
> obviously that is not it.

A trust-anchor is any issuing CA you designate as trusted, and it does
not have to be a root CA, it can also be any intermediate CA.

> What exactly is the trust-anchor? Is it the top level cert from the CA
> in the chain (#4 in your danecheck below)?

It is any of 2, 3 or 4.  The important constraint with DANE-TA(2), as
explained in https://tools.ietf.org/html/rfc7671#section-5.2.2, is
that if you do choose a root CA as your trust-anchor, unlike the
case in non-DANE PKIX protocols, it MUST be sent to the client along
with the intermediate issuer certificates.

To compute the digest of a CA certificate, create a PEM file containing
just that certificate.  Or use my "chaingen" script (attached), which
can process a complete chain of certificates, but DO NOT then publish
all the TLSA records it outputs.  Publish no more than one TLSA record
per certificate in the chain, typically just the "3 1 1" for the EE
cert, and "2 1 1" for the TA certs.  And no need to match at every
level.  At most two trust anchors (typically just one) are enough.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: chaingen
Type: application/octet-stream
Size: 1876 bytes
Desc: not available
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20181231/ba8e1a95/attachment.obj>
-------------- next part --------------

More resources at:



More information about the dane-users mailing list