DANE / TLSA Generator

Create TLSA records from your server certificate

Generate TLSA Records

Configure the record location and parameters, then paste the server certificate to compute the real hash.

MX / server hostname
Port
Protocol
Certificate (PEM)
Paste the server's certificate. The hash is computed locally in your browser — nothing is uploaded.
Certificate usage
Selector
Matching type
Generated Record_25._tcp.mx1.example.com
TLSA resource record, regenerated live from the configuration above.
Parameters
3 1 1
1
TLSA record — zone file format
BIND / generic zone file
_25._tcp.mx1.example.com.  IN  TLSA  3 1 1 adea2c3d962d5f8ff2c364fd0b114da07b35aa8d15fa25571bc9e36ab905e800
Record anatomy
3
Usage
DANE-EE — Match the server certificate itself. Recommended for SMTP.
1
Selector
SPKI — Public key only — survives certificate renewal.
1
Matching type
SHA-256 — Recommended digest.
adea2c3d962d…
Association data
Example digest — paste a certificate to compute the real one.
2
Verify with OpenSSL
compute the same hash from the live server
openssl s_client -starttls smtp -connect mx1.example.com:25 < /dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl dgst -sha256 -hex
Deployment checklist
1
Sign the zone with DNSSECDANE only works in DNSSEC-signed zones; unsigned TLSA records are silently ignored by senders.
2
Publish the TLSA recordadd the record at _25._tcp.mx1.example.com with your DNS provider and wait for propagation.
3
Verify from outsiderun the OpenSSL command above and confirm the digest matches the published record — or use our DANE Checker.
4
Plan key rolloverspublish the new key's TLSA record alongside the old one before rotating, and remove the old record after 2 × TTL.
The hash shown is a simulated example until a certificate is pasted. DANE requires the zone to be DNSSEC-signed — TLSA records in unsigned zones are ignored by senders.
Related Tools
DANE CheckerDNSSEC ValidatorCertificate DecoderMTA-STS Generator
Tool Features

Everything you need to publish a correct TLSA record

Real Hashes

Computes the actual SPKI or full-cert digest from your PEM

100% Client-Side

Your certificate never leaves the browser

OpenSSL Commands

Ready-made verification command for the live server

Zone File Ready

Copy-paste record in BIND / generic zone format

Learn more

Guides & explainers related to this tool

Guide

How to Enable DNSSEC

DANE's prerequisite: sign your zone and publish DS records at the registrar.

Article

What Is DNSSEC?

How the DNS chain of trust works and why DANE depends on it.

Article

What Is MTA-STS?

The HTTPS-based alternative to DANE for enforcing SMTP TLS.

Related Tools
Discover similar utilities
Authentication

DANE / TLSA Checker