Certification Authority Authorisation (CAA)

What is Certification Authority Authorisation (CAA)?

Certification Authority Authorisation (CAA) allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorised to issue certificates for that domain. This way a public Certification Authority can implement addition controls to reduce the risk of unintended certificate mis-issue. Earlier this year a ballot passed to make CAA checking mandatory. Which means that a CA will check the authorisation before issue-ing a certificate.

What problem does it resolve?

CAA resolves the mis-issue of certificates for a DNS domain. This way a CA will not issue a certificate if the domain owner has not authorised the CA to do so. This way the domain owner gets more control of which CAs can issue certificates. The domain owner also gets a notification when authorisation fails. Notice that SSL is not only used on websites, but also for communication with mail servers and many, many more applications.

How does it work?

A domain owner adds a CAA DNS Resource Record on his DNS server. In this DNS record the owner specifies the domain the authorised CAs. The CA checks the available CAA record during the issue-ing process. A CA may check if the DNS configuration is compromised against the DNSSEC record. After deployment of the issued certificate a browser may check if the chain is valid and if the CA is authorised.

In short the process goes as follows:

1. A domain holder requests a new SSL certificate
2. The Certification Authority must check if a CAA DNS record is compliant with the requests or an exception is specified.
3. The CA checks all specified domains (including wildcards) of the request
4. Optionally a CA checks the DNSSEC records
5. Only if all checks pass, the CA will issue the certificate.

If a check fails the Certification Authority may sent a report to the domain holder.

How to configure CAA for my domain?

There are several options to configure Certification Authority Authorisation for your domain. The easy way is to let the CAA DNS record for you. To do this go to CAA Record Generator by SSL mate and follow the steps on that site.

On the other hand it’s not that hard to create the CAA record yourself, but you have to know what to add. The syntax of the DNS record with the optional parameters:

0 issue "CA domain"
0 issuewild "CA domain"
0 iodef "mailto:mailaddress"

A CAA record can contain the following parameters: issue, issuewild and iodef.

• Issue: with this parameter you authorise a specific Certification Authority for a specific domain, this parameter does allow wildcard certificates.
• Issuewild: with this parameter you authorise a specific Certification Authority for a specific domain, this parameter only allows wildcard certificates.
• iodef: with this parameter you specify the way a Certification Authority can use for reporting certificate issue requests that violate the security policy of the issuer or the domain name holder.