What is a CAA record?

A Certificate Authority Authorisation Record (CAA) is used to determine which Certificate Authorities (CAs) are authorised to issue certificates for a certain domain. Such a record prevents other CAs from issuing certificates for that domain. By setting up a CAA record, the owner of a domain can also be notified whenever anyone illegally attempts to have a certificate issued for their domain.

CAA records can be set up for the entire domain, or specific host names. They are transferrable to subdomains, unless a separate record is set up on the subdomain to overwrite the main record. CAA record can be used on both single-domain and wildcard domains.

A CA must check for the existence of a CAA record

Setting up a CAA record is not obligatory for the end user. However, it is highly recommended to do so as an extra security measure. As of 8 September 2017, it becomes mandatory for a CA to check the CA record. When a domain has at least one CAA record available and the CA trying to request a certificate is not included, that CA cannot issue a certificate for this domain. The check for the existence of a CAA record occurs during the request process for the SSL certificate. When you edit or add a CAA record to the domain at a later time, any SSL certificate requested before the edit will still be valid.

Check a CAA record

You can check for the existence of a CAA record and the values of a record using the Networking4all Qualys SSLLABS scan.

Setting up a CAA record

The setup of a CAA record works with a set format. It uses three different tags:

  • Issue: this explicitly only allows the named CA to issue certificates for the host name.
  • Issuewild: this explicitly only allows the named CA to issue wildcard certificates for the host name.
  • Iodef: contains the URL where a CA can report policy violations.

One of these tags must always be used when creating a CAA record. An example of a CAA record is:

  • CAA 0 issue "symantec.com"
  • CAA 0 iodef "mailto:abuse@networking4all.com"
Additional CAA policy

It is possible to add an additional CAA policy to a domain name. This can include, for example, the rule that only EV SSL certificates may be issued for this specific domain or host name. For example:

  • CAA 0 issue "digicert.com; policy=ev"
CAA records per CA

Below are the records examples per CA to setup your CAA policy:

  • TrustProviderBV
    • CAA 0 issue "trustproviderbv.digitalcertvalidation.com"
    • CAA 0 issuewild "trustproviderbv.digitalcertvalidation.com"
  • DigiCert
    • CAA 0 issue "digicert.com"
    • CAA 0 issuewild "digicert.com"
  • Symantec
    • CAA 0 issue "symantec.com"
    • CAA 0 issuewild "symantec.com"
  • GeoTrust
    • CAA 0 issue "geotrust.com"
    • CCAA 0 issuewild "geotrust.com"
  • Thawte
    • CAA 0 issue "thawte.com"
    • CAA 0 issuewild "thawte.com"
  • RapidSSL
    • CAA 0 issue "rapidssl.com"
    • CAA 0 issuewild "rapidssl.com"
  • GlobalSign
    • CAA 0 issue "globalsign.com"
    • CAA 0 issuewild "globalsign.com"
  • AlphaSSL
    • CAA 0 issue "globalsign.com"
    • CAA 0 issuewild "globalsign.com"