Certification Authority Authorization (CAA) is a method for a domain owner to permit one or more certification authorities (CAs) to issue SSL/TLS certificates using their domain name. The permission is provided through a CAA record associated with a DNS entry for the domain name.
Starting September 8, 2017, all CAs must perform a CAA check at the time of issuing an SSL/TLS certificate. The result could be as follows:
CAA records also have commands to control permissions for Wildcard certificates and can also provide information to allow the CA to contact the domain owner.
The benefit of CAA is the DNS administrator can allow only trusted CAs to issue certificates for their domain names. With this control, attackers will be limited as to which CAs they can attempt to get a fraudulent certificate from. In most cases, this will prevent attackers from using a CA that issues free domain validated (DV) certificates.
CAA will also limit the source for legitimate certificates requested by internal administrators. The limitation might be in place for reasons such as:
There are probably more reasons to limit which CA(s) can issue certificates. CAA gives the domain owner control.
Some issues could arise with the decision to use CAA as follows, but these mainly present a minor hiccup and can be easily remedied:
It is recommended to perform a certificate transparency (CT) search before using CAA, because it will help identify CAs that have issued certificates to your domains.
Entrust Datacard and CAA
Entrust Datacard has been supporting CAA for over two years. Our first release was to perform the CAA record check at the time of domain name verification. This method allowed all issues to be addressed before certificate issuance time.
Moving forward we will still perform CAA check at time of verification or re-verification. This will allow certificate subscribers to address issues as early as possible. We will also recheck at the time of certificate issuance, which will prevent unpermitted issuances.
Entrust Datacard has a Certification Authority Authorization (CAA) page to provide information on CAA, including a CAA Best Practices guide to support DNS administrors.
In the not too distant future, we will provide a CAA Lookup Tool. The tool will provide the CAA records with the entry of one to many domain names, allowing a pre-check to ensure your trusted CA(s) can issue your certificates.
You have Control with CAA
In the end, if you choose to use CAA, you have control. CAA should help to prevent fraudulent certificates from being issued for your domain names.