Certificate Authority Authorization (CAA) Records in DNS

Scott Rogers Introduction-To

One relatively new certificate management capability that many site administrators don't know about is the ability to specify which CAs are allowed to issue certificates for the domains you control.  This capability is called Certificate Authority Authorization, or CAA, and it's accomplished using DNS records.

Here's how it works.  Your domain's DNS record will support an entry for what they call the Certificate Authority Authorization.  This entry specifies the CAs that are allowed to issue certificates for this particular domain name.  Any DNS record with an open or missing CAA entry is eligible to receive certificates from any CA.  But if the DNS record contains a valid CAA entry, then only the CAs specified are allowed to issue certificates to this domain name.

CAA entries can specify permitted CAs at the domain and subdomain level and can include multiple CAs for the same domain or subdomain. A CA can be permitted to issue SSL/TLS certificates of any type or it can be limited to wildcard certificates.  The DNS administrator can also specify that no CAs be allowed to issue certificates for a specific domain or subdomain.

In this entry you also can specify an email address at which you will be notified by CAs of policy violations.

CAA records offer site administrators the opportunity to exercise greater control over which certificates are issued for the domain names they control.  It helps companies standardize on one or a set of CAs and gives IT administrators greater visibility and control over IT project running on their online properties.  On the downside, a CAA record can greatly restrict the availability of certificates for a site and can present unexpected and intractable problems for an IT or development manager who is not aware of issuance restrictions that have been placed on a site using DNS.

So while CAA records offer the potential for extra management power and control, make sure you use them carefully and are prepared to make the full organization understand how it can get the certificates it needs.