Certificate Authority Authorization (CAA)

Ok, since Chrome68 the world has become a little more secure (treating http as insecure and enforcing certificate transparency).

But now there’s still one topic that could really offend you nicely secured server stack.

Everybody could be able to issue a certificate if he’s getting access to a web server or a subdomain. By having a valid cert, it becomes really easy to intercept traffic within TLS1.1 / 1.2. CAA helps you break down the certificate issuing to the CA you define (authorize).

It’s quite easy to set up and increases your SSL / TLS certificate security.

Ok, let’s go.

Define your valid CA’s

first of all we need to determine valid CAs that issue certs for our domain.

Therefore we „ab“use the Certificate Transparency Protocol  which gives us a list of certificates for our domains and the according authority.

If you find any certificate, that you or your team did not request, you might already be in trouble – try to get it revoked !!!!

 

Create your CAA DNS record

Now that we’re aware that we’ve only have valid certs and we know our vendor(s) we need to create DNS RECORDS (TYPE CAA).

Examples

Let’s Encrypt Authority X3

miyw.de.     CAA      0 issue "letsencrypt.org"

GlobalSign

miyw.de.     CAA      0 issue "globalsign.com"

You could also add LE + GS as two different CA’s in parallel

miyw.de.     CAA      0 issue "globalsign.com"
miyw.de.     CAA      0 issue "letsencrypt.org"

If you want to receive Emails upon violation of your CAA policy add this additional entry

miyw.de.     CAA      0 iodef "mailto:info@miyw.de"


RECORD GENERATOR

Here’s a nice entry generator for CAA which gives you some features and many output formats

https://sslmate.com/caa/

 

About the Author

Mike Schiessl