This is a tool that grabs a certificate from a service and compares it to TLSA records. It can also generate TLSA records.



Check DANE on some HTTPS service

danetool www.example.com

Check DANE on a SMTP server

danetool --starttls=smtp mail.example.com:25

Use a different name in SNI

danetool myservice.example@hosting.example.net

SNI support needs LuaSec.

Generate a TLSA record

danetool --gen-tlsa=3-0-1 www.example.org

Should give additional output like:

DANE-EE     Cert    SHA2-256
3 0 1 642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040



Send some data before starting TLS handshake.

Values (--starttls=???) are:

  • smtp
  • imap
  • xmpp-client
  • xmpp-server


Takes a tripplet of numeric Usage, Selector and Match parameters separated by hypen.


Dumps the certificate in PEM format.