· 3 min read

What is a Certificate Authority Authorization (CAA) Record?

What is a Certificate Authorization Authority (CAA) Record?

What is a Certificate Authorization Authority (CAA) Record?

What is a Certificate Authority Authorization (CAA) Record?

Certificate Authority Authorization (CAA) is a vital mechanism that plays a pivotal role in bolstering web security by allowing domain owners to specify which Certificate Authorities (CAs) are authorized to issue digital certificates for their domains. A CAA record is added to a domain’s DNS zone.

...additional controls to reduce the risk of unintended certificate mis-issue.

RFC 8659

What is Certificate Authority Authorization (CAA)?

Certificate Authority Authorization (CAA) is a DNS (Domain Name System) record that domain owners can use to control which Certificate Authorities are permitted to issue SSL/TLS certificates for their domains. SSL/TLS certificates are cryptographic keys that secure the data transmitted between a user’s browser and a website’s server, ensuring that sensitive information remains confidential and tamper-proof.

CAA records are essentially a set of rules or policies that specify which CAs are authorized to issue certificates for a particular domain. When a CA receives a certificate request for a domain, it checks the domain’s DNS records for CAA entries to determine whether it has permission to issue a certificate for that domain.

How do I lookup my CAA record?

You can look up your Certificate Authority Authorization (CAA) Record and check other domain security features on our Cyber Security Risk Scoring page.

Why was the CAA standard created and who backs it?

[CAA]...allows [Domain Owners] to mitigate the problem that the public CA trust system is only as strong as its weakest CA.

CA/Browser Forum

Which Certificate Authorities Support CAA?

In 2017, 94% of voting Certificate Authorities (CAs) voted in favour of making CAA checking mandatory, as well as all voting browsers, with Mozilla, Google, and Apple supporting making Certificate Authority Authorization Checking Mandatory.

Yes votes: Let's Encrypt, Izenpe, Comodo, GoDaddy, HARICA, GDCA, Trustwave, SwissSign, Symantec, SHECA, CFCA, SSC, GlobalSign, Cisco, Buypass, DigiCert, Disig

CA/Browser Forum

Compared to other Cyber Security Risk Scoring metrics policies such as DMARC and SPF, CAA is still slow to gain traction. For a breakdown of adoption of different risk policies, see Cyber Security Policy Adoption Statistics.

Why is Certificate Authority Authorization Important?

  • Enhanced Security: One of the primary reasons CAA is important is because it strengthens the security of SSL/TLS certificates. Without CAA, any CA could potentially issue a certificate for any domain, making it easier for malicious actors to create fraudulent websites and carry out phishing attacks. CAA helps domain owners maintain control over their digital identities and reduces the risk of unauthorized certificate issuance.

  • Prevents Certificate Misissuance: Certificate misissuance occurs when a CA issues a certificate for a domain without proper authorization. This can happen due to human error or malicious intent within a CA. CAA records act as a safeguard against such incidents by explicitly specifying which CAs are allowed to issue certificates for a given domain.

  • Regulatory Compliance: Many industries and regulatory bodies require organizations to implement security measures to protect sensitive data. CAA records can assist organizations in meeting compliance requirements by ensuring that only trusted CAs issue certificates for their domains.

  • Mitigates Risk: By explicitly stating which CAs are authorized to issue certificates, domain owners can reduce the risk associated with rogue CAs or third-party certificate issuers. This minimizes the chances of unauthorized certificates being used for nefarious purposes.

  • Accountability: CAA records help establish accountability in the certificate issuance process. If a CA issues a certificate without proper authorization, it can be traced back to a violation of CAA policies, making it easier to identify and rectify any breaches.

List of Certificate Authorities

We have curated a list of root certificate authorities and their intermediate certificate authorities. This list will help to give you an understanding of how you can take control of your certificate issuance process.

CAA IODEF Record

Stellastra also recommends adding a CAA IODEF Record. That is an Incident Object Description Exchange Format (IODEF) record for Certificate Authority Authorization.

The [CAA] iodef property specifies a means of reporting certificate issue requests... when those requests or issuances violate the security policy of the Issuer or the FQDN holder

RFC 8659
    Share:
    Back to Blog

    Related Posts

    View All Posts »
    Anti Spam Laws Around the World

    Anti Spam Laws Around the World

    Spam, unsolicited electronic communication, has become a global issue that affects individuals, businesses, and governments alike. Various countries have developed anti-spam laws to protect consumers from unwanted emails, messages, and other forms of digital marketing. These laws vary by region, but they generally focus on requiring consent from recipients, providing clear opt-out mechanisms, and penalizing violators with hefty fines. Below is an overview of key anti-spam regulations from the United States, Canada, New Zealand, Australia, Ireland, and the United Kingdom.

    What is Risk Reduction in Cyber Security - 50 Ways to Reduce Risk

    What is Risk Reduction in Cyber Security - 50 Ways to Reduce Risk

    Explore the essentials of risk reduction in cyber security and learn how to proactively protect your organization. Uncover strategies for minimizing vulnerabilities, strengthening defenses, and implementing best practices to lower potential cyber threats and ensure robust digital security.

    What is Risk Transfer in Cyber Security - 40 Ways to Transfer Risk

    What is Risk Transfer in Cyber Security - 40 Ways to Transfer Risk

    Discover how risk transfer in cyber security can safeguard your organization. Learn about strategies to mitigate potential cyber threats by shifting liability, utilizing insurance, and partnering with third-party experts. Explore effective ways to protect your digital assets.