Sample code to create dnscrypt certificates.

WARNING: This code is deprecated.

Please use dnscrypt-wrapper, for generating certificates.

$ git clone --recursive https://github.com/Cofyc/dnscrypt-wrapper.git
$ cd dnscrypt-wrapper
$ make install
$ rehash

First, on a dedicated, trusted, offline host with encrypted partitions and swap, generate a provider keypair:

$ dnscrypt-wrapper --gen-provider-keypair

In addition to generating public.key and secret.key files, this command prints the provider key required for dnscrypt-proxy's --provider-key= switch.

Then, issue the following command to generate a new dnscrypt key pair:

$ dnscrypt-wrapper --gen-crypt-keypair

Finally, generate pre-signed certificates:

$ dnscrypt-wrapper --crypt-secretkey-file=crypt_secret.key \
                   --crypt-publickey-file=crypt_public.key \
                   --provider-publickey-file=public.key \
                   --provider-secretkey-file=secret.key \
                   --gen-cert-file

This will print the DNS records needed for serving the certificates using an authoritative name server, and generate the dnscrypt.cert file for dnscrypt-wrapper to serve these directly.