prompt Copy code A digital illustration of a modern filing cabinet filled with labeled folders representing "CAA Records" in bold text, sitting prominently on a wooden desk in a clean office environment. The background features a minimalistic office with soft light filtering through blinds, creating subtle shadows on the desk. The folders have bright, organized labels, such as "Compliance," "Audit," and "Reports." A sleek laptop and a cup of coffee are placed nearby, adding a professional yet approachable vibe. The lighting emphasizes the folders and cabinet, while the colors are a mix of soft neutrals with accents of blue and green. Created using: crisp digital rendering, professional corporate style, clean lines, high-detail textures, subtle gradients, natural lighting, HD quality, and a balanced composition
, ,

How CAA Records Protect Your SSL/TLS Certificates

by

Warren Sherwen

A useful part of Domain Management & SSL Security, is ensuring only trusted certificate authorities (CAs) can issue SSL/TLS certificates for it. That’s where Certification Authority Authorization (CAA) records are very useful.

What are CAA records?

A CAA (Certificate Auhority Authorization) record is like a gatekeeper for your domain’s certificates. It lets you explicitly state which CAs have permission to issue certificates for your domain. If someone tries to obtain a certificate from a CA that’s not on your approved list, the request can be blocked, and in some cases, you can even get notified.

Here’s how it works:

No CAA Record?

Any CA can issue a certificate for your domain.
CAA Record in Place?

Only the CAs you’ve listed in the record are allowed to issue certificates.
This applies across the board—whether it’s your primary domain or specific subdomains. For instance, if you set a CAA record on thedailywaffle.co.uk, it automatically applies to mail.thedailywaffle.co.uk unless you’ve created a more specific record for that subdomain.

CAA records offer flexibility too. You can establish policies for the entire domain or drill down to individual hostnames, ensuring you maintain full control over who can issue certificates.

In a world where security is paramount, and you need to deter malicious actors, CAA records are a simple yet powerful tool to protect your domain and its reputation. If you haven’t already configured them, it’s worth taking the time to do so.

So, why is this important? Well, without a CAA record in place, any CA could issue a certificate for your domain. That’s a problem because it opens the door for mistakes or, worse, malicious actors who might abuse less-secure or compromised CAs.

What CAA Records Prevent

Here’s what having a CAA record in place protects you from:

  1. Unauthorized Certificates
    By specifying which CAs are allowed to issue certificates for your domain, you stop attackers from tricking random CAs into creating rogue certificates. These certificates could otherwise be used in phishing or man-in-the-middle attacks.
  2. Wildcard Misuse
    Wildcard certificates (*.example.com) can be a powerful tool, but they’re also risky if they fall into the wrong hands. With CAA records, you can control whether wildcard certificates can be issued and which CAs are allowed to issue them.
  3. Domain-wide Control
    CAA records don’t just apply to your main domain—they also cascade to subdomains unless you set more specific rules. For example, a record on example.com will apply to sub.example.com unless you create a separate policy for it.

Why You Need Them

The main reason to use CAA records is simple: they make it harder for anyone to issue unauthorized certificates for your domain. If a CA isn’t listed in your CAA record, they’re required to deny certificate requests for your domain. That puts you in full control of who can issue certificates and how they can do it.

How to configure CAA Records

The below example, is the public CAA records for thedailywaffle.co.uk:

1 iodef "mailto:[email protected]"
1 issue "comodoca.com"
1 issue "digicert.com"
1 issue "letsencrypt.org"
1 issue "pki.goog"
1 issue "ssl.com"
1 issuewild "comodoca.com"
1 issuewild "digicert.com"
1 issuewild "letsencrypt.org"
1 issuewild "pki.goog"
1 issuewild "ssl.com"

Three type of CAA records can be found in the above configuration:

  • iodef: The email address any alerts should be sent to using MAILTO/HTTP/HTTPS,
  • issue: the name of the provider that can issue certifcates to the apex/subdomain,
  • issuewild: the name of the provider that can issue wildcard certs,

The “issuer critical” flag or the starting number determines how strict a CA (Certificate Authority) must be when processing the record:

  • Flag Value = 1: The record is marked as critical. If the CA doesn’t understand this flag or how to interpret the associated policy, it must reject the certificate issuance. This ensures that only CAs capable of fully processing your specified policies can issue certificates for your domain.
  • Flag Value = 0: The record is not critical. This means the CA can ignore the flag or policy if it’s not recognized, allowing certificate issuance to proceed as normal.

I recommend using 0, while testing the implementation at first to ensure all CAA’s have been added.

Another type of record, I am not using but can be configured is:

  • issuemail: this record is for the use with S/MIME so you can declare the certificate authorities that are allowed for S/MIME

Advanced Features

Several more granular, and advanced features are offered for CAA records too:

Granular Settings

If you’re setting up a secure certificate issuance, then setting permissions for the Certificate Authority for example Let’s Encrypt, you can configure CAA records to define specific rules for validation methods and wildcard certificates. Here’s an example configuration:

thedailywaffle.co.uk. CAA 0 issue "letsencrypt.org;validationmethods=dns-01"


What does this do?

Allows Let’s Encrypt to issue single-name certificates (e.g., example.com) for the domain.
Limits the validation method to DNS verification only.
Why is this useful?
This setup provides granular control over how certificates are issued:

You might want to restrict single-name certificates to DNS-based validation for added security.
At the same time, wildcard certificates—which often require DNS validation—are permitted without additional constraints.

Blocking Certificate Issuance

  • thediailywaffle.co.uk. CAA 0 issue “;” – This record declares certificates cant be issued for the domain name at all.
  • thediailywaffle.co.uk. CAA 0 issuemail “;” – This record declares certificates cant be issued for the domain name for S/MIME usage at all.

Where to find CA issuance names

In most cases, providers declare the required names on there websites, for example Let’s Encrypt provides details, at this web page: Certificate Authority Authorization (CAA) – Let’s Encrypt.

However, if you are stuck trying to find them you can either inspect the SSL certificate issued; or you can use tools from the web that will help build your CAA records such as CAA Record Generator; this tool will search your domain but also let you manually select CA authorities too.

Leave a Reply

Categories

Tags

active App azuread Branding cyber essenitals Device Configuration Device Management Dishy DKIM DMARC DNS emailing entraid Exchange Exchange-Online Framework hard Hybrid Internet Intune Management matching Microsoft 365 notice notification Omada Package Packaging PowerShell Route Scripts Security Spoofing Spotify SSL Starlink Static Tooling Tools user

Discover more from The Daily Waffle

Subscribe now to keep reading and get access to the full archive.

Continue reading