On Wed, Dec 23, 2015 at 06:43:12PM +0000, Jeremy Harris wrote:
> > pain if it's not a private-CA. I need to work up a decent method
> > for generating a TA-mode TLSA for a random site using a public-CA.
>
> One hacking incident later:
>
> openssl s_client -connect <SERVER-HOST>:25 -starttls smtp -showcerts 2>/dev/null \
> | awk '/-----BEGIN CERTIFICATE-----/ { c=""; p=1 } /-----END CERTIFICATE-----/ {c = c $0 "\n"; p=0 } { if (p>0) c = c $0 "\n"; } END { print c }' \
> | openssl x509 -fingerprint -sha256 -noout \
> | awk -F= '{print $2}' \
> | tr -d : | tr '[A-F]' '[a-f]'
With the chaingen script I posted:
$ domain=example.com
$ host=$(dig +short -t mx "$domain" | sort -k1n | awk '{sub(/\.$/, "", $NF); print $NF; exit}')
$ openssl s_client -connect "$host:25" -starttls smtp -showcerts 2>&1 | chaingen
--
Viktor.
