DANE / TLSA Generator
Create TLSA records from your server certificate
Generate TLSA Records
Configure the record location and parameters, then paste the server certificate to compute the real hash.
MX / server hostname
Port
Protocol
Certificate (PEM)
Paste the server's certificate. The hash is computed locally in your browser — nothing is uploaded.
Certificate usage
Selector
Matching type
Generated Record_25._tcp.mx1.example.com
TLSA resource record, regenerated live from the configuration above.
Parameters
3 1 11
TLSA record — zone file format
BIND / generic zone file
_25._tcp.mx1.example.com. IN TLSA 3 1 1 adea2c3d962d5f8ff2c364fd0b114da07b35aa8d15fa25571bc9e36ab905e800
Record anatomy
3
Usage
DANE-EE — Match the server certificate itself. Recommended for SMTP.
1
Selector
SPKI — Public key only — survives certificate renewal.
1
Matching type
SHA-256 — Recommended digest.
adea2c3d962d…
Association data
Example digest — paste a certificate to compute the real one.
2
Verify with OpenSSL
compute the same hash from the live server
openssl s_client -starttls smtp -connect mx1.example.com:25 < /dev/null 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform DER | openssl dgst -sha256 -hex
Deployment checklist
1
Sign the zone with DNSSEC — DANE only works in DNSSEC-signed zones; unsigned TLSA records are silently ignored by senders.
2
Publish the TLSA record — add the record at _25._tcp.mx1.example.com with your DNS provider and wait for propagation.
3
Verify from outside — run the OpenSSL command above and confirm the digest matches the published record — or use our DANE Checker.
4
Plan key rollovers — publish the new key's TLSA record alongside the old one before rotating, and remove the old record after 2 × TTL.
The hash shown is a simulated example until a certificate is pasted. DANE requires the zone to be DNSSEC-signed — TLSA records in unsigned zones are ignored by senders.
Tool Features
Everything you need to publish a correct TLSA record
Real Hashes
Computes the actual SPKI or full-cert digest from your PEM
100% Client-Side
Your certificate never leaves the browser
OpenSSL Commands
Ready-made verification command for the live server
Zone File Ready
Copy-paste record in BIND / generic zone format
Learn more
Guides & explainers related to this tool
Related Tools
Discover similar utilitiesAuthentication