CAA stands for Certificate Authority Authorization (try saying that five times fast), but don’t let that mouthful throw you off. CAA, a specific type of DNS record, empowers website owners to dictate which Certificate Authorities (CAs) can issue certificates for their domain names. This was initially standardized in 2013 and further refined to its current form in 2019, as outlined by RFC 8659 and RFC 8657. By default, any public CA can issue certificates for any domain within the public DNS, as long as they validate domain ownership; however, this means a single glitch in the validation process of any public CA could jeopardize every domain name. Fortunately, CAA offers domain holders a safeguard, mitigating this overarching risk.
In simpler vernacular, CAA is a way for domain owners to specify which Certificate Authorities (CAs) are allowed to issue certificates for their domain.
The CAA operates in the shadowy corridors of the Domain Name System (DNS). Within these corridors, the domain owner sets up CAA records, effectively laying down the law on which CAs have the green light to issue certificates.
When a CA receives a request for a certificate, they don’t just blindly issue it – first, they check the DNS for any CAA records. If they find one, and they’re not on the list, they’re not allowed to issue that certificate.
Let’s switch gears for a moment. Picture this: you’re a domain owner, and you’ve put in blood, sweat, and tears (and possibly too much caffeine) into setting up a secure website. The last thing you want is some rogue CA issuing a certificate for your domain, potentially allowing bad actors to impersonate your site and wreak havoc. That’s where a CAA steps in.
Protection: By specifying which CAs can issue certificates for your domain, you reduce the risk of fraudulent certificates being issued.
Control: As the domain owner, you get a say! You decide who’s in and who’s out.
Auditing: The CAA can also help during audits by making it clear which CAs are authorized, streamlining the process and making it easier to identify any discrepancies.
To create a CAA, you must have a list of the Certificate Authorities you currently approve for issuing certificates. It is recommended to use a tool with an integrated CAA creator to verify that you are approving of all the CAs you are currently using and to prevent an outage caused by not including a critical CA.
While CAA records prevent attackers from issuing certificates for your domain such as in domain takeover attacks, attacks such as the DigiNotar attack would not be prevented by a CAA since the CAA would be bypassed by the attacker. While it might not be stopped, having a Certificate Transparency Log Monitor that has a CAA breach detection will alert you if any certificate authority not listed in your CAA issues a certificate for your domain, detecting the attack before the attackers can target your users.