Mandatory Certificate Authority Authorisation (CAA) checking from September 2017

Mandatory Certificate Authority Authorisation (CAA) checking from September 2017


From September 8, 2017, Certificate Authority Authorisation (CAA) checking and processing will be mandatory for all Certificate Authorities (CAs).


What is Certificate Authority Authorisation (CAA)?

CAA allows domain owners to control which CAs are allowed to issue certificates for your domain by adding a record to the domain name server (DNS).

The purpose of CAA is to reduce the risk of unauthorised and unknown issuance of SSL/TLS certificates for a domain. By requiring a mandatory check, CAs will know not to issue a certificate for that domain if they are not listed as an authorised CA.


What does this mean for you, the domain owner?

Using CAA is optional for domain owners.

It is up to you if you want to:

  • implement CAA or not
  • authorise multiple CAs to issue certificates
  • separately authorise if you want a CA to be able to issue wildcard and non-wildcard certificates for you

Example CAA code you would need to add to your DNS zone file:

$ORIGIN example.com

.       CAA 0 issue "your-chosen-CA.com"

To find out how to access and edit your DNS zone file, contact your domain registrar.


What are our partner CAs saying about Certificate Authority Authorisation?

  • "This requirement will be supported from August 29, 2017.

    CAA is a simple way to express your preference of CAs. You can add CAA information to DNS, and change it when you wish."



  • "CAA may be the best way to protect domain owners from having fraudulent certificates issued in their domain name.

    This has become increasingly important with the proliferation of unauthorized DV certificates."


  • "GlobalSign will start enforcing CAA on August 28, 2017.

    Be sure you use caution when creating CAA records. If you have other departments obtaining certificates you need to coordinate to be sure that all CAs in use will be added to your CAA records."




  • "All CAs will be mandated to check CAA DNS records starting in late 2017.

    Comodo, however, has been supporting this on ALL certificates for the last 12+ months."






Contact Us

    914 142 288
   sales@ssl247.pt


Links to additional information:

  1. Section'3.2.2.8 - CAA Records' of the CA/Browser Forum's Baseline Requirements Document
  2. DNS Certification Authority Authorization (CAA) Recource Record from the IETF


Read our previous blog post: Chrome extends deadlines while DigiCert plans Symantec Web Security acquisition.


Compartilhe isto:

Posted on Tuesday 12 September 2017 by Wesley Hall

Voltar ao blog

Mande-nos seus comentários


Seu comentário não será publicado. Se tiver alguma pergunta, não esqueça de informar seu enderêço de email para que possamos contacta-lo.