Certification Authority Authorization (CAA, RFC6844) is intended to reduce the risk of SSL/TLS certificate issuance without prior knowledge of the owner.

How it works

The simplest description of CAA is that it is a DNS record that lists the CAs permitted to issue certificates for your domain. A CA will be required to check this record before they issue a certificate and to only issue the certificate if they are authorised to do so.

A CAA record has the following structure:
flag tag ca

  • flag‘ can only contain 0 or 128, 0 defines the record as mandatory, 128 makes it optional. We advise for now to set it to ‘0’
  • tag‘ sets the type of CAA record, it can either contain issue or issuewild. This defines the following options;
    • ‘issue’ allows the CA to only issue ‘regular’ single domain certificates.
    • ‘issuewild’ indicates that a wildcard certificate may be issued by the CA.
  • ca‘ indicates which certificate authority (s) have permission to issue certificates.

Setting up CAA

There is an awesome tool over on sslmate called the CAA Record Generator, which does exactly what it says on the tin! Simply head over to the site, add your domain name, select the CAs you wish to authorise, a reporting address and that’s it. This tool then returns a DNS (CAA) record that you can copy to your DNS zone. A DNS zone with the simplest form of CAA looks like this:

Simple example for Comodo
example.com. IN    CAA   0 issue "comodoca.com"

Simple example for Symantec
example.com. IN    CAA   0 issue "symantec.com"

Simple example for RapidSSL
example.com. IN    CAA   0 issue "rapidssl.com"

Simple example for Thawte
example.com. IN    CAA   0 issue "thawte.com"

Simple example for GeoTrust
example.com. IN    CAA   0 issue "geotrust.com"

03 Oct

LATEST NEWS

  • 10% balance for free!

    Dear customer, 2017 is coming to an end. It […]

    Read More>>
  • SIDN introduces new .nl logo especially for resellers

    The number of SIDN (.nl) registrars decreases year after […]

    Read More>>
  • Certificate Authority Authorization

    Certification Authority Authorization (CAA, RFC6844) is intended to reduce […]

    Read More>>
  • Google announces final plan against Symantec

    Google announced its final plan for the Chrome browser […]

    Read More>>
  • SSL Panel Updates July 2017

    We are happy to announce that we have introduced […]

    Read More>>