TLSA Generator

Create TLSA (DNS-based Authentication of Named Entities) records for certificate pinning and DANE implementation.

Domain:

Port:

Protocol:

Certificate Usage:

Domain-Issued Certificate - Certificate must match the one specified (most common)

Selector:

Subject Public Key Info - Use only the public key portion (recommended)

Matching Type:

SHA-256 Hash - Use SHA-256 hash of the certificate/key (recommended)

Certificate/Public Key (PEM) Hash Value

Certificate/Public Key:

Status: Invalid

Certificate data is required

Use usage type 3 (Domain-Issued Certificate) for most scenarios
Prefer selector 1 (SPKI) over selector 0 (full certificate) for flexibility
Use SHA-256 (1) or SHA-512 (2) matching types, avoid exact match (0)
Pin multiple certificates to avoid service disruption during certificate rotation
Test TLSA records with DANE validation tools before deployment

Example Configurations