Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range

20170413 - CA/B Forum makes CAA checking mandatory for Certification Authorities

As of 8 September 2017, each certifying authority will have to control the CAA DNS records before issuing an SSL certificate. Although already existing for a while the CAA control has been optional, today the authority can choose to carry out this control or not.

Caution: This check must then be carried out for each of the SANs to be secured by the requested certificate.

What is CAA?

The CAA (for Certificate Authority Authorisation) is a DNS record allowing the owner of a domain name to authorize (and therefore also prohibit) one or more certification authorities to issue certificates for the domain concerned.

How does it work?

The DNS CAA specification is not mandatory and if no registration is defined for a domain then it is assumed that permission is tacitly given to all Certification Authorities to issue for that domain.

On the other hand an empty entry means a global interdiction.

NOTE : Une fois le certificat émis le contrôle CAA n'est plus utile. Les tierce parties (navigateurs par exemple) ne vérifient pas le DNS CAA lorsqu'un certificat est sollicité. En effet, il se peut que l'enregistrement ai été modifié après une émission, sans invalider un certificat.

What is the use of such a control?

It gives you the ability to prohibit certificate authorities from issuing certificates on your behalf. You then have better control of your SSL tools.

It can also be seen as an additional audit step enabling the authority to reduce the risk of unwanted emissions.

And in practice?

CAA handles 3 properties:

  • issue: contains authorization/restrictions regarding the concerned domain
    If this property is used alone, it is valid both for the domain concerned and for Wildcard certificates.
    Here is an example: CAA 0 issue ""
    Authorisation for the Sectigo authority to issue the certificate for and the Wildcard certificate for *

  • issuewild contains the authorizations/restrictions for the field concerned. This property is specific to wildcard certificates. If it does not exist then it is the property issuewhich will be used for wildcard certificates (the reverse is not true)
    Here is an example: CAA 0 issuewild ""
    Authorisation for the Sectigo authority to issue the certificate only for the *

  • iodef (Incident Object Description Exchange Format) : indique une URL permettant de rapporter des problémes rencontrés lors de la procédure d'audit. Le format de l'URL indique la méthode qui devra être utilisée (mailto pour un envoi de mail ou http pour l'utilisation d'un webservice).

Other values can be added at the discretion of the domain owner or at the request of the certification authority.

What about sub-domains?

It is possible to create CAA DNSs specific to sub-domains rather than an entire domain. In this case, the authority will first look for a DNS CAA record for the sub-domain and then, if none exists, for the root domain.

issue and issuewild values

In the table below you'll find the values  to be defined for issue and issuewild for each certifying authority :

Sectigo / TBS X509 / PositiveSSL

* Values updated on 2019/10/15

How to define several authorizations?

If you wish to authorize more than one certification authority then you need to multiply the CAA registrations.

Example:  CAA 0 issue ""  CAA 0 issue ""

Useful links