#!/bin/bash
set -euo pipefail
# Usage: ./tlsa <certificate filename>
# Generates a TLSA record based on the given certificate's public key.

echo -n "3 1 1 " # DANE-EE Publickey SHA256
openssl x509 -noout -pubkey -in "$1" | openssl rsa -pubin -outform DER 2>/dev/null | sha256sum | cut -d' ' -f 1 | tr 'a-z' 'A-Z'