Ask a Question

Advanced Search

Solution ID : SO29555

Last Modified : 05/02/2018

Certification Authority Authorization (CAA)

Solution

What is Certification Authority Authorization?
DNS Certification Authority Authorization (CAA), defined in IETF draft RFC 6844, is designed to allow a DNS domain name holder (a website owner) to specify the certificate signing certificate(s) authorized to issue certificates for that domain or website. Usually, the certificate signing certificate will belong to the Certification Authority (CA) that issues SSL certificates to you. It’s a way for you to indicate which CA or CAs you want to issue certificates for your domains. Using CAA could reduce the risk of unintended certificate mis-issuance, either by malicious actors or by honest mistake.

For example, if you own thawte.com, and wish to express your preference that certificates for that domain should only be issued by Primary CA, you would create a CAA record in DNS indicating such. If a malicious actor, or an employee who is not aware of your preference, engages a different CA, Secondary CA, to purchase a certificate for thawte.com, Secondary CA might first check in DNS. If they see that you have a CAA record that does not specify Secondary CA as an allowed certificate issuer, Secondary CA could alert you of that. You could then choose to deny the certificate purchase, or change or add a CAA record to DNS to allow Secondary CA to issue certificates for your domain.

Advantages
CAA is a simple way to express your preference of CAs. Since you own your domain name and control all DNS information for that domain, you can add CAA information to DNS, and change it when you wish. No other party, including the CA, needs to be involved.

If you are responsible for your company’s certificate infrastructure, you may benefit by using CAA. For example, you may have negotiated a volume discount with a particular CA, and wish to purchase all your certificates from that CA to save money. With CAA, you may be alerted when an employee enrolls for a certificate from a different CA.

CAA also includes a feature that enables CAs to report invalid certificate requests. Any compliant CA could notify you via email, web service, or both, about any certificate request they received that did not match the preference you set in your CAA record.

If you use CAA, you’re not tied to one CA. It’s possible to create multiple CAA records for multiple CAs that you wish to do business with. Or you can use CAA to specify that no CA should issue certificates to your domain.


Edit a domain’s CAA DNS record to get Thawte certificates
To get certificates for thawte.com, update the CAA DNS Resource Record to state that Thawte is approved to issue certificates for thawte.com.

The registered domain owner must update the CAA DNS zone file to add Thawte as an approved CA in a CAA DNS record. You can find information about how to access and edit the CAA DNS zone file for the domain by contacting the domain’s registrar.

  1. Open the CAA DNS zone file for editing.
  2. Under $ORIGIN thawteoffer.com, add the line:  CAA 0 issue “thawte.com” as follows:
    $ORIGIN thawteoffer.com
    . CAA 0 issue "thawte.com"
  3. Sign in to Thawte Certificate Center (TCC) and open the certificate's Order Summary tab to recheck the order's status. If the check succeeds, your order is processed normally.

    Partners: On your certificate's Order Information page in Thawte Partner Center, click Recheck CAA. If the check succeeds, your order is processed normally.


The single CAA record applies to all web servers in your domain, like www.thawteoffer.com, shop.thawteoffer.com, checkout.thawteoffer.com, etc.


Update: With Digicert's acquisition of Symantec Website Security and related PKI solutions, Certification Authority Authorization (CAA) records can now include digicert.com. This authorizes DigiCert to issue DigiCert, Symantec, Thawte, GeoTrust, and RapidSSL certificates for domains that contain such CAA records.

Do you already have a CAA Resource Record authorizing Thawte to issue certificates for yourdomain.com (yourdomain.com CAA 0 issue "thawte.com")? Then, you don’t need to modify your existing CAA RR, nor do you need to create an additional CAA RRs for yourdomain.com. With that record you authorize DigiCert to issue your Thawte brand certificates for that domain plus all the other DigiCert certificate brands (DigiCert, Symantec, GeoTrust, and RapidSSL).