Back

Certificate Authority Authorization: what is it and how does it work?

Author: Valeria van der Poel
0 MIN READ TIME
9/1/2017
Domain Security News
openprovider blog about domains

certificate authority authorizationCertification Authority Authorization (CAA, RFC6844) is intended to reduce the risk of SSL/TLS certificate issuance without prior knowledge of the owner.

How does it work?

The simplest description of Certificate Authority Authorization is that it is a DNS record that lists the CAs permitted to issue certificates for your domain. A CA will be required to check this record before they issue a certificate. They can then only issue the certificate if they are authorised to do so.

A CAA record has the following structure: flag tag ca

  • flag‘ can only contain 0 or 128. 0 defines the record as mandatory, 128 makes it optional. We advise for now to set it to ‘0’.
  • tag‘ sets the type of CAA record. It can either contain ‘issue’ or ‘issuewild’. This defines the following options;
    • ‘issue’ allows the CA to only issue ‘regular’ single domain certificates.
    • ‘issuewild’ indicates that a wildcard certificate may be issued by the CA.
  • ca‘ indicates which certificate authority (s) have permission to issue certificates.

Setting up CAA

At sslmate you can find a CAA Record Helper. This great tool does exactly what it says on the tin! Simply head over to the site, add your domain name, select the CAs you wish to authorise and add a reporting address. That’s it. This tool then returns a DNS (CAA) record that you can copy to your DNS zone. A DNS zone with the simplest form of CAA looks like this:

Comodo:
example.com. IN    CAA   0 issue "comodoca.com"

Symantec:
example.com. IN    CAA   0 issue "symantec.com"

RapidSSL:
example.com. IN    CAA   0 issue "rapidssl.com"

Thawte:
example.com. IN    CAA   0 issue "thawte.com"

GeoTrust:
example.com. IN    CAA   0 issue "geotrust.com"

0 Views
0 Likes

Share this:

More Topics Like This

Cyber security statistics: 2025 trends and data

Stay ahead of evolving threats with the latest cybersecurity statistics, insights, and best practices for 2025.

Read more

13 Most effective ways to protect your brand online

Protect your brand online with 13 practical, expert-backed strategies. Learn how to defend your domains and emails from advanced threats.

Read more

Follow us on

;
Image not found

Not a Member yet?

Become a Member today and get access to exclusive deals.