I’ve been working on getting DNS servers talking to each other using DNS-over-TLS, and have found myself using TLS key-pinning. For more info about TLS key-pinning check out https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/.

For key-pinning you have to generate the SHA-256 pin. This can be done either using your certificate or key.

Key:

sudo openssl rsa -in /path/to/key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

Cert:

sudo openssl x509 -in /path/to/cert -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

That’s it!