Make infringement more difficult with CAA records
If the wrong person gets access to a company’s web server, they can decrypt traffic and collect for example sign-in or payment information. Having your certificates spread across different issuers can also create a messy management environment and it brings about an increased risk of mistakes.
CAA is a DNS record that makes it more difficult for someone to attempt infringement by minimizing the risk of certificates issued by unauthorized certificate authorities, and it is free to implement.
What is CAA (Certificate Authority Authorization)?
A CAA (Certificate Authority Authorization) DNS record allows domain name owners to name one or several certificate authorities (CAs) who are authorized to issue SSL certificates for the specific domain. This means that you, by “enforcing” the Certificate Policy, limit which certificate authorities can be used.
In accordance with industry standards, all CAs must control CAA entries to ensure that they are authorized to issue certificates for a certain domain prior to the certificate being issued. If there is a complete lack of CAA entries, unlisted CAs can issue certificates for the domain.
Why should you use CAA?
To sum it up, CAA records help ensure that the company lives up to its Certificate Policy.
By using CAA, you can:
- Limit which suppliers can issue certificates for the domain/domains
- Decide whether wildcard certificates are allowed or not
- Ensure reporting to an e-mail address if/when someone attempts to break the policy
Even though CAA cannot stop cyber criminals from issuing certificates from the providers included in your CAA policy, it creates control and monitoring, which in turn increases security and protects against business impact.
In larger organizations, it can also be a good trick for avoiding the certificate management to be spread all over. An employee who is not familiar with the policy cannot issue certificates from non-listed CAs.