Certification Authority Authorization (CAA) is a method for a domain owner to permit one or more certification authorities (CAs) to issue SSL/TLS certificates using their domain name. The permission is provided through a CAA record associated with a DNS entry for the domain name.
Starting September 8, 2017, all CAs must perform a CAA check at the time of issuing an SSL/TLS certificate. The result could be as follows:
- CAA record permits the requesting CA to issue the certificate.
- CAA record permits a different CA to issue the certificate. This is a failure for the requesting CA and a certificate will not be issued.
- No CAA record is associated with the domain name. In this case, all CAs are permitted to issue certificates.
- CAA record has a permission which is not associated with any CA. In this case, no CAs can issue a certificate for the domain.
CAA records also have commands to control permissions for Wildcard certificates and can also provide information to allow the CA to contact the domain owner.
The benefit of CAA is the DNS administrator can allow only trusted CAs to issue certificates for their domain names. With this control, attackers will be limited as to which CAs they can attempt to get a fraudulent certificate from. In most cases, this will prevent attackers from using a CA that issues free domain validated (DV) certificates.
CAA will also limit the source for legitimate certificates requested by internal administrators. The limitation might be in place for reasons such as:
- All CAs are not approved vendors
- All CAs are not trusted by the enterprise
- There is a central purchasing agreement with one CA
- Some CAs have excellent certificate management tools which support central control of all certificates
There are probably more reasons to limit which CA(s) can issue certificates. CAA gives the domain owner control.
Some issues could arise with the decision to use CAA as follows, but these mainly present a minor hiccup and can be easily remedied:
- The main issue is the CAA record might not be set correctly.
- An issue could be the business uses more than one CA, but the CAA record is set to only permit one CA. DNS administrators should ensure they know which CAs are permitted.
- The CAA record might have an indication that is not associated with any CA. In this case, no CA can issue a certificate. DNS administrators should ensure they are familiar with the method to set a CAA record.
- Please also note that checking CAA will be new to most CAs potentially causing error conditions which may delay a certificate from being issued.
It is recommended to perform a certificate transparency (CT) search before using CAA, because it will help identify CAs that have issued certificates to your domains.
Entrust Datacard and CAA
Entrust Datacard has been supporting CAA for over two years. Our first release was to perform the CAA record check at the time of domain name verification. This method allowed all issues to be addressed before certificate issuance time.
Moving forward we will still perform CAA check at time of verification or re-verification. This will allow certificate subscribers to address issues as early as possible. We will also recheck at the time of certificate issuance, which will prevent unpermitted issuances.
Entrust Datacard has a Certification Authority Authorization (CAA) page to provide information on CAA, including a CAA Best Practices guide to support DNS administrators.
In the not too distant future, we will provide a CAA Lookup Tool. The tool will provide the CAA records with the entry of one to many domain names, allowing a pre-check to ensure your trusted CA(s) can issue your certificates.
You have Control with CAA
In the end, if you choose to use CAA, you have control. CAA should help to prevent fraudulent certificates from being issued for your domain names.