What is a Certificate Authority Authorization (CAA) Record?

Certificate Authority Authorization (CAA) is a vital mechanism that plays a pivotal role in bolstering web security by allowing domain owners to specify which Certificate Authorities (CAs) are authorized to issue digital certificates for their domains. A CAA record is added to a domain's DNS zone.

What is Certificate Authority Authorization (CAA)?

Certificate Authority Authorization (CAA) is a DNS (Domain Name System) record that domain owners can use to control which Certificate Authorities are permitted to issue SSL/TLS certificates for their domains. SSL/TLS certificates are cryptographic keys that secure the data transmitted between a user's browser and a website's server, ensuring that sensitive information remains confidential and tamper-proof.

CAA records are essentially a set of rules or policies that specify which CAs are authorized to issue certificates for a particular domain. When a CA receives a certificate request for a domain, it checks the domain's DNS records for CAA entries to determine whether it has permission to issue a certificate for that domain.

How many companies implement Certificate Authority Authorization (CAA) records?

How do I lookup my CAA record?

You can look up your Certificate Authority Authorization (CAA) Record and check other domain security features on our Cyber Security Risk Scoring page.

Why was the CAA standard created and who backs it?

Which Certificate Authorities Support CAA?

In 2017, 94% of voting Certificate Authorities (CAs) voted in favour of making CAA checking mandatory, as well as all voting browsers, with Mozilla, Google, and Apple supporting making Certificate Authority Authorization Checking Mandatory.

Compared to other Cyber Security Risk Scoring metrics) policies such as DMARC and SPF, CAA is still slow to gain traction. For a breakdown of adoption of different risk policies, see Cyber Security Policy Adoption Statistics.

Why is Certificate Authority Authorization Important?

• Enhanced Security: One of the primary reasons CAA is important is because it strengthens the security of SSL/TLS certificates. Without CAA, any CA could potentially issue a certificate for any domain, making it easier for malicious actors to create fraudulent websites and carry out phishing attacks. CAA helps domain owners maintain control over their digital identities and reduces the risk of unauthorized certificate issuance.

• Prevents Certificate Misissuance: Certificate misissuance occurs when a CA issues a certificate for a domain without proper authorization. This can happen due to human error or malicious intent within a CA. CAA records act as a safeguard against such incidents by explicitly specifying which CAs are allowed to issue certificates for a given domain.

• Regulatory Compliance: Many industries and regulatory bodies require organizations to implement security measures to protect sensitive data. CAA records can assist organizations in meeting compliance requirements by ensuring that only trusted CAs issue certificates for their domains.

• Mitigates Risk: By explicitly stating which CAs are authorized to issue certificates, domain owners can reduce the risk associated with rogue CAs or third-party certificate issuers. This minimizes the chances of unauthorized certificates being used for nefarious purposes.

• Accountability: CAA records help establish accountability in the certificate issuance process. If a CA issues a certificate without proper authorization, it can be traced back to a violation of CAA policies, making it easier to identify and rectify any breaches.

List of Certificate Authorities

We have curated a list of root certificate authorities and their intermediate certificate authorities. This list will help to give you an understanding of how you can take control of your certificate issuance process.

CAA IODEF Record

Stellastra also recommends adding a CAA IODEF Record. That is an Incident Object Description Exchange Format (IODEF) record for Certificate Authority Authorization.

---

Share this article