Logo
Sign InSign Up

What is a Certificate Authority Authorization (CAA) Record?

Last modified on Sunday, September 3, 2023

3 minute read

What is a Certificate Authorization Authori

What is a Certificate Authority Authorization (CAA) Record?

Certificate Authority Authorization (CAA) is a vital mechanism that plays a pivotal role in bolstering web security by allowing domain owners to specify which Certificate Authorities (CAs) are authorized to issue digital certificates for their domains. A CAA record is added to a domain's DNS zone.

RFC 8659 - ...additional controls to reduce the risk of unintended certificate mis-issue.

What is Certificate Authority Authorization (CAA)?

Certificate Authority Authorization (CAA) is a DNS (Domain Name System) record that domain owners can use to control which Certificate Authorities are permitted to issue SSL/TLS certificates for their domains. SSL/TLS certificates are cryptographic keys that secure the data transmitted between a user's browser and a website's server, ensuring that sensitive information remains confidential and tamper-proof.

CAA records are essentially a set of rules or policies that specify which CAs are authorized to issue certificates for a particular domain. When a CA receives a certificate request for a domain, it checks the domain's DNS records for CAA entries to determine whether it has permission to issue a certificate for that domain.

How many companies implement Certificate Authority Authorization (CAA) records?

Percentage of Cybersecurity Companies with Certificate Authority Authorization (CAA) Records

7441 Companies. Last Updated October 2023.

How do I lookup my CAA record?

You can look up your Certificate Authority Authorization (CAA) Record and check other domain security features on our Cyber Security Risk Scoring page.

Why was the CAA standard created and who backs it?

CA/Browser Forum - [CAA]...allows [Domain Owners] to mitigate the problem that the public CA trust system is only as strong as its weakest CA.

Which Certificate Authorities Support CAA?

In 2017, 94% of voting Certificate Authorities (CAs) voted in favour of making CAA checking mandatory, as well as all voting browsers, with Mozilla, Google, and Apple supporting making Certificate Authority Authorization Checking Mandatory.

CA/Browser Forum - Yes votes: Let’s Encrypt, Izenpe, Comodo, GoDaddy, HARICA, GDCA, Trustwave, SwissSign, Symantec, SHECA, CFCA, SSC, GlobalSign, Cisco, Buypass, DigiCert, Disig

Compared to other Cyber Security Risk Scoring metrics) policies such as DMARC and SPF, CAA is still slow to gain traction. For a breakdown of adoption of different risk policies, see Cyber Security Policy Adoption Statistics.

Why is Certificate Authority Authorization Important?

  • Enhanced Security: One of the primary reasons CAA is important is because it strengthens the security of SSL/TLS certificates. Without CAA, any CA could potentially issue a certificate for any domain, making it easier for malicious actors to create fraudulent websites and carry out phishing attacks. CAA helps domain owners maintain control over their digital identities and reduces the risk of unauthorized certificate issuance.

  • Prevents Certificate Misissuance: Certificate misissuance occurs when a CA issues a certificate for a domain without proper authorization. This can happen due to human error or malicious intent within a CA. CAA records act as a safeguard against such incidents by explicitly specifying which CAs are allowed to issue certificates for a given domain.

  • Regulatory Compliance: Many industries and regulatory bodies require organizations to implement security measures to protect sensitive data. CAA records can assist organizations in meeting compliance requirements by ensuring that only trusted CAs issue certificates for their domains.

  • Mitigates Risk: By explicitly stating which CAs are authorized to issue certificates, domain owners can reduce the risk associated with rogue CAs or third-party certificate issuers. This minimizes the chances of unauthorized certificates being used for nefarious purposes.

  • Accountability: CAA records help establish accountability in the certificate issuance process. If a CA issues a certificate without proper authorization, it can be traced back to a violation of CAA policies, making it easier to identify and rectify any breaches.

CAA IODEF Record

Stellastra also recommends adding a CAA IODEF Record. That is an Incident Object Description Exchange Format (IODEF) record for Certificate Authority Authorization.

RFC 8659 - The [CAA] iodef property specifies a means of reporting certificate issue requests... when those requests or issuances violate the security policy of the Issuer or the FQDN holder


Share this article

Stellastra The Cyber Security Comparison Platform

© 2024 Stellastra Ltd. All rights reserved. All names, logos, trademarks, et al, belong to their respective owners. No endorsement or partnership is necessarily implied between company and Stellastra and vice versa. Information is provided for convenience only on an as is basis. For the most up to date information, contact vendor directly. Scores including email security, SPF, and DMARC are calculated based on Stellastra's algorithms and other analyses may return different results.

LinkedInTwitter

Company

About StellastraContact usCyber Security Risk ScoreEmail Deliverability ToolStellastra Discover

Stay up to date