What is a Certificate Authority Authorization (CAA) Record?
Last modified on Wednesday, May 8, 2024
4 minute read
What is a Certificate Authority Authorization (CAA) Record?
Certificate Authority Authorization (CAA) is a vital mechanism that plays a pivotal role in bolstering web security by allowing domain owners to specify which Certificate Authorities (CAs) are authorized to issue digital certificates for their domains. A CAA record is added to a domain's DNS zone.
RFC 8659 - ...additional controls to reduce the risk of unintended certificate mis-issue.
What is Certificate Authority Authorization (CAA)?
Certificate Authority Authorization (CAA) is a DNS (Domain Name System) record that domain owners can use to control which Certificate Authorities are permitted to issue SSL/TLS certificates for their domains. SSL/TLS certificates are cryptographic keys that secure the data transmitted between a user's browser and a website's server, ensuring that sensitive information remains confidential and tamper-proof.
CAA records are essentially a set of rules or policies that specify which CAs are authorized to issue certificates for a particular domain. When a CA receives a certificate request for a domain, it checks the domain's DNS records for CAA entries to determine whether it has permission to issue a certificate for that domain.
How many companies implement Certificate Authority Authorization (CAA) records?
Percentage of Cybersecurity Companies with Certificate Authority Authorization (CAA) Records
7443 Companies. Last Updated May 2024.
How do I lookup my CAA record?
You can look up your Certificate Authority Authorization (CAA) Record and check other domain security features on our Cyber Security Risk Scoring page.
Why was the CAA standard created and who backs it?
CA/Browser Forum - [CAA]...allows [Domain Owners] to mitigate the problem that the public CA trust system is only as strong as its weakest CA.
Which Certificate Authorities Support CAA?
In 2017, 94% of voting Certificate Authorities (CAs) voted in favour of making CAA checking mandatory, as well as all voting browsers, with Mozilla, Google, and Apple supporting making Certificate Authority Authorization Checking Mandatory.
CA/Browser Forum - Yes votes: Let’s Encrypt, Izenpe, Comodo, GoDaddy, HARICA, GDCA, Trustwave, SwissSign, Symantec, SHECA, CFCA, SSC, GlobalSign, Cisco, Buypass, DigiCert, Disig
Compared to other Cyber Security Risk Scoring metrics) policies such as DMARC and SPF, CAA is still slow to gain traction. For a breakdown of adoption of different risk policies, see Cyber Security Policy Adoption Statistics.
Why is Certificate Authority Authorization Important?
-
Enhanced Security: One of the primary reasons CAA is important is because it strengthens the security of SSL/TLS certificates. Without CAA, any CA could potentially issue a certificate for any domain, making it easier for malicious actors to create fraudulent websites and carry out phishing attacks. CAA helps domain owners maintain control over their digital identities and reduces the risk of unauthorized certificate issuance.
-
Prevents Certificate Misissuance: Certificate misissuance occurs when a CA issues a certificate for a domain without proper authorization. This can happen due to human error or malicious intent within a CA. CAA records act as a safeguard against such incidents by explicitly specifying which CAs are allowed to issue certificates for a given domain.
-
Regulatory Compliance: Many industries and regulatory bodies require organizations to implement security measures to protect sensitive data. CAA records can assist organizations in meeting compliance requirements by ensuring that only trusted CAs issue certificates for their domains.
-
Mitigates Risk: By explicitly stating which CAs are authorized to issue certificates, domain owners can reduce the risk associated with rogue CAs or third-party certificate issuers. This minimizes the chances of unauthorized certificates being used for nefarious purposes.
-
Accountability: CAA records help establish accountability in the certificate issuance process. If a CA issues a certificate without proper authorization, it can be traced back to a violation of CAA policies, making it easier to identify and rectify any breaches.
List of Certificate Authorities
We have curated a list of root certificate authorities and their intermediate certificate authorities. This list will help to give you an understanding of how you can take control of your certificate issuance process.
CAA IODEF Record
Stellastra also recommends adding a CAA IODEF Record. That is an Incident Object Description Exchange Format (IODEF) record for Certificate Authority Authorization.
RFC 8659 - The [CAA] iodef property specifies a means of reporting certificate issue requests... when those requests or issuances violate the security policy of the Issuer or the FQDN holder