Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range

20170413 - CA/B Forum makes CAA checking mandatory for Certification Authorities

As of September 8 2017, each certification authority will have to check DNS CAA entries before issuing a certificate. CAA checking is not new but is optional, currently a certification authority can choose not to do this control.

Attention: This control will have to be done for each SAN that will be secured by the requested certificate.

What is CAA?

The CAA (Certification Authority Authorization) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.

How does it work?

Create a DNS CAA entry is not mandatory for the domain holder and if no record is defined then an authorization is tacitly given to any certification authority to issue a certificate for that domain.

On the other hand an empty entry means a global interdiction.

NOTE: Once the certificate is issued the CAA checking in not useful anymore. Third parts (such as browsers) do not check for CAA entry when a certificate is presented. An entry may be modified after issuance without invalidate a certificate.

What is the use of such a control?

It gives you the possibiliy to forbid some certification authorities to issue certificate for your domains. You have then a better contol of your SSL tools.

It may also be considered as an additional vetting control and help CA not to issue mis-issued certificate.

And in practice?

CAA handles 3 properties:

  • issue: contains authorization/restrictions regarding the concerned domain

  • issuewild: contains authorization/restrictions regarding the concerned domain. It is specific to wildcard certificates. If there is no entry then the issue property is checked (not the other way around)

  • iodef (Incident Object Description Exchange Format): Specifies a URL to which an issuer may report certificate issue requests that are inconsistent with the issuer's Certification Practices or Certificate Policy. The URL format indicates the method that has to be used to report issue (mailto for an email and HTTP for a web service use).

Other values can be added by the domain holder or at the request of the certification authority.

What about sub-domains?

You can create DNS CAA entries specific to sub-domains. In that case the authority will check for it first and, if it doesn't find it, it will check for the root domain.

issue and issuewild values

In the table below you'll find the values* to define for the issue and issuewild tags for each certification authority:

Sectigo / TBS X509 / PositiveSSL

* Values updated on 2019/10/15

Useful links