dane_verify_crt_raw - Linux


dane_verify_crt_raw is a command-line tool for verifying DNS-based Authentication of Named Entities (DANE) certificates. It takes a raw TLSA or DANE-EE certificate, a hostname, and an optional trust anchor as input, and verifies if the certificate is valid for the given hostname.


dane_verify_crt_raw <certificate> <hostname> [<trust anchor>]


  • <certificate> is the raw TLSA or DANE-EE certificate in base64-encoded DER format
  • <hostname> is the hostname to verify the certificate for
  • <trust anchor> (optional) is the trust anchor to use for verification


  • -h, --help: show help


Simple usage: Verify a TLSA certificate for the hostname example.com:


Using a trust anchor: Verify a DANE-EE certificate for the hostname example.com using a trust anchor:

dane_verify_crt_raw MIH8MIH4MIGCBiAYgAAAAAAAJANBgkqhkiG9w0BAQUFADA6MREwDwYDVQQDEwhleGFtcGxlLmNvbTAeFw0yMjEwMDEyMDEwMDIwN1owDzENMAsGA1UEAxMEbG9jYWxob3N0MB4XDTIyMTAwMTAwMDAwMDAwWjAlMS4wLAYIKoZIzj0BAgQDEKd4QutTRzGh3yJ11Dg67rncxrXHH4gpGrcR5G+zcavZNDhR4gixBrcC3JcB+wK62pCytGpX1F08jZ4ym2QNDA== example.com C=US,O=Internet Security Research Group,CN=ISRG Root X1

Common Issues

  • Ensure that the certificate is in base64-encoded DER format.
  • Verify that the hostname matches the certificate’s subject name.
  • Check that the trust anchor (if specified) is valid and trusted.


dane_verify_crt_raw can be integrated into scripts or command chains for automated certificate verification. For example, it can be used to verify TLSA certificates for mail servers as part of an email security setup.

Related Commands

  • dane_verify_crt – verifies a DANE certificate by performing DNS lookups
  • dane_tlsserver – creates a TLS server that supports DANE-based authentication