02/12/2021

What is CAA (Certificate Authority Authorization)?

Editor’s Notice: This web site was originally posted in August of 2017. It has not too long ago been up to date to reflect the RFC 1912 guidleline for CNAME data.

CAA is a security measure that makes it possible for domain house owners to specify in their Area Identify Servers (DNS) which CAs are authorized to problem certificates for that domain. If a CA receives an purchase for a certification for a area with a CAA report and that CA isn’t mentioned as an authorized issuer, they are prohibited from issuing the certification to that area or any subdomain.

Benefits of CAA

One of the benefits of CAA is to health supplement Certificate Transparency (CT). CT presents mechanisms to enable domain house owners detect mis-issued or regularly issued certificates for their domains just after issuance, when CAA can enable prevent unauthorized issuance in advance of the fact. Together they construct a greater established of protection than possibly 1 by on their own.  

CAA can also aid organizations who have standardized, or want to standardize or limit the CAs they use. Prior to CAA, there was not an uncomplicated way for organizations to implement this style of coverage, but now that all CAs will have to check out for CAA records, these insurance policies can actually be enforced by the CAs.

Employing CAA

Though examining for CAA records is necessary for CAs, utilizing CAA is optional for area proprietors. You can determine for your self if you want to carry out and, if you come to a decision to do so, you can specify many CAs if sought after (see cautionary notes afterwards in this site).

Here are the processing regulations for CAs:

  • No CAA report: CA can issue.
  • CAA file consists of CA: CA can issue.
  • CAA file, but does not contain CA: CA simply cannot situation.

CAA supports the next attributes:

  • Situation: Permits CAs to challenge certificates (which includes wildcard certificates except restricted by Issuewild)
  • Issuewild: Permits CAs to difficulty a wildcard certification, but not non-wildcard certificates.

Listed here is an instance of the CAA code you would include to your DNS zone file if you needed to authorize GlobalSign to concern certificates for illustration.com:

CAA problem “globalsign.com”

Keep in mind, CAA checking starts off with the total FQDN and processes up to the Base Domain, so when validating the FQDN of www.us.instance.com, the CA will check out:

  • www.us.instance.com, then
  • us.case in point.com, then
  • case in point.com.

For in depth directions on how to increase CAA data, including measures for a hosted DNS, make sure you see our relevant guidance report.

Be aware about CNAMEs:
In accordance with RFC 1912, A CNAME history is not permitted to coexist with any other info.  When looking for CAA records, we will abide by the over regulations from the FQDN and strolling the chain up but if we come across a CNAME file we will disregard DNS TXT and CAA data for that area.  Alternatively of searching for a CAA document on the offered domain identify, we will glance for CAA records on the area the CNAME points to.

Use Warning When Updating CAA

Be absolutely sure you use caution when building CAA data.  If you have other departments getting certificates you require to coordinate to be positive that all CAs in use will be extra to your CAA information. Considering the fact that CAA checking is required and outcomes in turned down orders that a CA just cannot override, it is vital that the DNS administrator does not get down the company! Also, if you’re working with a service provider for any of your web hosting solutions, they may be securing those servers with a CA you never have a direct connection with, so be very careful.

As a quick check out, you may perhaps want to query for certificates issued to your domains working with https://crt.sh/ which will return a record of the issuing CAs for that area. Don’t shoot yourself in the foot, make educated updates to CAA data!

GlobalSign and CAA

GlobalSign will start off enforcing CAA on August 28, 2017.

As outlined higher than, we have produced a couple of aid article content to support with implementation and handle some typical mistakes. If you have extra questions about CAA, you should don’t wait to contact us.