dane_verify_crt_raw - Linux

Overview

dane_verify_crt_raw is a command-line tool for verifying DNS-based Authentication of Named Entities (DANE) certificates. It takes a raw TLSA or DANE-EE certificate, a hostname, and an optional trust anchor as input, and verifies if the certificate is valid for the given hostname.

Syntax

dane_verify_crt_raw <certificate> <hostname> [<trust anchor>]

where:

  • <certificate> is the raw TLSA or DANE-EE certificate in base64-encoded DER format
  • <hostname> is the hostname to verify the certificate for
  • <trust anchor> (optional) is the trust anchor to use for verification

Options/Flags

  • -h, --help: show help

Examples

Simple usage: Verify a TLSA certificate for the hostname example.com:

dane_verify_crt_raw MIH8MIHYMIGCBgA4gAAAAAAAJANBgkqhkiG9w0BAQUFADA6MREwDwYDVQQDEwhleGFtcGxlLmNvbTAeFw0yMjEwMDEyMDEwMDU0N1owDzENMAsGA1UEAxMEbG9jYWxob3N0MB4XDTIyMTAwMTAwMDAwMDAwWjAjMSEwHwYDVQQDExh0ZXN0LWRhbmVlLWNhLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9Yx09g1Q8q8sQhHKnICr3YB6xLWKS30F/6oQ/xGfyzBrXUtffr/O6IvQ944eD733phFcYz42rJ520m/PQePA== example.com

Using a trust anchor: Verify a DANE-EE certificate for the hostname example.com using a trust anchor:

dane_verify_crt_raw MIH8MIH4MIGCBiAYgAAAAAAAJANBgkqhkiG9w0BAQUFADA6MREwDwYDVQQDEwhleGFtcGxlLmNvbTAeFw0yMjEwMDEyMDEwMDIwN1owDzENMAsGA1UEAxMEbG9jYWxob3N0MB4XDTIyMTAwMTAwMDAwMDAwWjAlMS4wLAYIKoZIzj0BAgQDEKd4QutTRzGh3yJ11Dg67rncxrXHH4gpGrcR5G+zcavZNDhR4gixBrcC3JcB+wK62pCytGpX1F08jZ4ym2QNDA== example.com C=US,O=Internet Security Research Group,CN=ISRG Root X1

Common Issues

  • Ensure that the certificate is in base64-encoded DER format.
  • Verify that the hostname matches the certificate’s subject name.
  • Check that the trust anchor (if specified) is valid and trusted.

Integration

dane_verify_crt_raw can be integrated into scripts or command chains for automated certificate verification. For example, it can be used to verify TLSA certificates for mail servers as part of an email security setup.

Related Commands

  • dane_verify_crt – verifies a DANE certificate by performing DNS lookups
  • dane_tlsserver – creates a TLS server that supports DANE-based authentication