20170413 - CA/B Forum makes CAA checking mandatory for Certification Authorities
As of 8 September 2017, each certifying authority will have to control the CAA DNS records before issuing an SSL certificate. Although already existing for a while the CAA control has been optional, today the authority can choose to carry out this control or not.
Caution: This check must then be carried out for each of the SANs to be secured by the requested certificate.
What is CAA?
The CAA (for Certificate Authority Authorisation) is a DNS record allowing the owner of a domain name to authorize (and therefore also prohibit) one or more certification authorities to issue certificates for the domain concerned.
How does it work?
The DNS CAA specification is not mandatory and if no registration is defined for a domain then it is assumed that permission is tacitly given to all Certification Authorities to issue for that domain.
On the other hand an empty entry means a global interdiction.
NOTE : Une fois le certificat émis le contrôle CAA n'est plus utile. Les tierce parties (navigateurs par exemple) ne vérifient pas le DNS CAA lorsqu'un certificat est sollicité. En effet, il se peut que l'enregistrement ai été modifié après une émission, sans invalider un certificat.
What is the use of such a control?
It gives you the ability to prohibit certificate authorities from issuing certificates on your behalf. You then have better control of your SSL tools.
It can also be seen as an additional audit step enabling the authority to reduce the risk of unwanted emissions.
And in practice?
CAA handles 3 properties:
- issue: contains authorization/restrictions regarding the concerned domain
If this property is used alone, it is valid both for the domain concerned and for Wildcard certificates.
Here is an example:example.com. CAA 0 issue "sectigo.com"
Authorisation for the Sectigo authority to issue the certificate for exemple.fr and the Wildcard certificate for *.exemple.fr - issuewild contains the authorizations/restrictions for the field concerned. This property is specific to wildcard certificates. If it does not exist then it is the property issuewhich will be used for wildcard certificates (the reverse is not true)
Here is an example:example.com. CAA 0 issuewild "sectigo.com"
Authorisation for the Sectigo authority to issue the certificate only for the *.example.fr - iodef (Incident Object Description Exchange Format) : indique une URL permettant de rapporter des problémes rencontrés lors de la procédure d'audit. Le format de l'URL indique la méthode qui devra être utilisée (mailto pour un envoi de mail ou http pour l'utilisation d'un webservice).
Other values can be added at the discretion of the domain owner or at the request of the certification authority.
What about sub-domains?
It is possible to create CAA DNSs specific to sub-domains rather than an entire domain. In this case, the authority will first look for a DNS CAA record for the sub-domain and then, if none exists, for the root domain.
issue and issuewild values
In the table below you'll find the values to be defined for issue and issuewild for each certifying authority :
| AUTHORITY | VALUES |
| Sectigo / TBS X509 / PositiveSSL | sectigo.com comodo.com comodoca.com usertrust.com trust-provider.com |
| GlobalSign | globalsign.com |
| Dhimyotis/Certigna | certigna.fr |
| DigiCert | Digicert.com Symantec.com geotrust.com rapidssl.com thawte.com digitalcertvalidation.com volusion.digitalcertvalidation.com stratossl.digitalcertvalidation.com intermediatecertificate.digitalcertvalidation.com 1and1.digitalcertvalidation.com |
| Harica | harica.gr |
* Values updated on 2019/10/15
How to define several authorizations?
If you wish to authorize more than one certification authority then you need to multiply the CAA registrations.
Example:
example.com. CAA 0 issue "sectigo.com" example.com. CAA 0 issue "globalsign.com"