dnssec/gentlsa

   1 #!/bin/sh
   2
   3 set -e
   4 set -u
   5
   6 ports="443"
   7 while getopts "hp:" opt; do
   8   case "$opt" in
   9     h)
  10       echo "Usage: $0 [-p=ports] certificates..."
  11       exit 0
  12       ;;
  13     p)
  14       ports=$OPTARG
  15       ;;
  16   esac
  17 done
  18 shift $((OPTIND-1))
  19
  20 for crt in "$@"; do
  21   echo "Certificate ${crt}..."
  22   digest=$(openssl x509 -in "$crt" -noout -pubkey | openssl rsa -pubin -outform der 2>/dev/null | sha256sum | awk '{print $1}')
  23
  24   (
  25   openssl x509 -noout -text < "$crt" | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr ',' '\n' | awk -F: '$1=="DNS" {print $2}';
  26   openssl x509 -noout -subject < "$crt" | sed -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/'
  27   ) | sort -u | while read cn; do
  28   for port in $ports; do
  29     printf "_%d._tcp.%-40s IN TLSA 3 1 1 %s\n" "${port}" "${cn}." "${digest}"
  30   done
  31 done
  32 done