On Mon, Sep 21, 2020 at 04:23:55AM -0200, Viktor Dukhovni via Exim-users wrote:
> Links to the actual certificates can be found at:
>
> https://letsencrypt.org/certificates/
> https://letsencrypt.org/certs/lets-encrypt-r3.pem
> https://letsencrypt.org/certs/lets-encrypt-e1.pem
>
> The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it,
> re-compute these for yourself):
>
> ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
>
> ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1
> ;
> _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
It was correclty noted in:
https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane
that the "backup" CAs should also be listed, as LE might need to switch
to using them in an emergency without prior notice.
Therefore the full list of DANE-TA(2) digests to publish (when relying
on these rather than "3 1 1" records) is:
; (These can be retired soon, but not just yet)
;
; letsencryptauthorityx3.pem
; letsencryptauthorityx4.pem
;
_25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
_25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
; (May not be needed if your leaf cert is RSA, ECDSA certs
; will I expect be soon signed with one of these).
;
; lets-encrypt-e1.pem
; lets-encrypt-e2.pem
;
_25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
_25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270
; (May not be needed if your leaf cert is ECDSA, once
; ECDSA certificate issuance cuts over to e1/e2).
;
; lets-encrypt-r3.pem
; lets-encrypt-r4.pem
--
Viktor.
