Certification Authority Authorization (CAA) allows a domain owner to specify in their DNS or DNSSec which Certification Authority (CA) is authorized to issue certificates to their domain. The new CAA policy has now been defined by the CA/Browser forum and is scheduled to take effect September 8, 2017. CAA technical requirements are covered by standard RFC 6844.
There are about 140 different government and global root CA certificates that are distributed with Windows. The roots may have thousands of intermediate CAs, many of which can issue SSL/TLS certificates. CAA tightens security for domain owners by enabling them to limit certificate issuance to only those CAs they have granted permission to – this can be either one or many specific CAs.
CAA supports the following properties:
- Issue: Permits a CA to issue certificates.
- Issuewild: Permits a CA to issue a wildcard certificate, but not non-wildcard certificates.
- Iodef: Provides an email address or website where the CA can report requests which violate the CAA record policy.
Here is an example of a CAA record for domain example.com:
∙ CAA 0 issue "ca.issuer-one.com"
∙ CAA 0 issuewild "ca.issuer-two.com"
∙ CAA 0 iodef "mailto:firstname.lastname@example.org"
Each CA must define their issuer domain name in their certification practice statement (CPS). Domain owners who want to use CAA to permit only specific CA(s) to issue certificates must create a CAA record with the issuer domain name and add it to their DNS or DNSSec.
Here is a CAA record that would allow Entrust Datacard to issue certificates to their domain:
CAA 0 issue "entrust.net"
Each CA must check the CAA records for all domain names requested at the time of certificate issuance and must act as follows:
- If there is no CAA record, then the CA can issue.
- If a CAA record uses the issuer domain name from the CA’s CPS, then the CA can issue.
- If there is a CAA issue record, but there is no issuer domain name from the CA’s CPS, then the CA cannot issue.
Many enterprises use more than one CA. This may be due to departments sourcing their certificates differently or perhaps there is no policy in effect limiting certificate purchases to a specific CA(s). As such, if a domain owner is planning to use CAA, they should ensure they permit all of the trusted CAs. A simple CT search check
will help to reveal most of the trusted CAs who have issued certificates to their domain.
CAA may be the best way to protect domain owners from having fraudulent certificates issued in their domain name. This has become increasingly important with the proliferation of unauthorized DV certificates.
Update March 23, 2017:
CA/Browser Forum Ballot 187 – Make CAA Checking Mandatory