--- /dev/null
+#!/bin/bash
+set -euo pipefail
+# Usage: ./tlsa <certificate filename>
+# Generates a TLSA record based on the given certificate's public key.
+
+echo -n "3 1 1 " # DANE-EE Publickey SHA256
+openssl x509 -noout -pubkey -in "$1" | openssl rsa -pubin -outform DER 2>/dev/null | sha256sum | cut -d' ' -f 1 | tr 'a-z' 'A-Z'