Certificate Authority Authorization (CAA)

Certificate Authority Authorization (CAA) is a feature that allows you to protect your domains by specifying which certificate authorities can issue SSL certificates for your domains. CAA is a great way to ensure that only trustworthy certificate authorities, such as Trustwave®, are able to issue certificates for your domains.

Quick Start

Prerequisites

In order to protect your domain using CAA records, you will need the following:

  • The ability to edit the DNS records for your domain
  • A DNS server that is able to support CAA records (since CAA is a relatively new technology, there are several DNS servers and Cloud service providers that have yet to add support for CAA)

Adding the CAA Records

Once you have access to the DNS settings for your domain, you will need to add the appropriate CAA records to the domain's zone configuration. If you have multiple subdomains for your website, you can create a single CAA record for your domain and it will protect all subdomains (e.g., a CAA record for "example.com" will also protect "www.example.com", "admin.example.com", etc.). Use the form below to generate the CAA records to add to the zone.

NOTE: If you won't be requesting wildcard certificates for your domain, then you do not need to add the issuewild record to your zone configuration.


Request Your Certificate

Now that your domain has CAA records, only Trustwave® may issue certificates for your domain. When you submit a certificate request to Trustwave®, processing of the request remains the same as before. However, if an attacker attempts to get a certificate for your domain at another certificate authority, they will be unable to do so as the certificate authority will check the CAA records for your domain and see that only Trustwave® can issue certificates for your domain.

Troubleshooting

If Trustwave® notifies you of a problem encountered when attempting check CAA records prior to issuing a certificate for your domain, ensure that your DNS server is accepting queries for CAA records from the Internet. If the DNS server for your domain cannot be queried for CAA records by Trustwave®, then we cannot issue the certificate. Common reasons for your DNS server being unreachable include:

  • None of your domain's authoritative nameservers are publicly accessible from the Internet.
  • All of your domain's authoritative nameservers refuse to answer CAA record queries.
  • Your domain has a CNAME record that points to a domain whose authorative nameservers are not responding to CAA record queries from the Internet.

To diagnose the issue, try using a DNS query tool (such as dig) and attempt to reproduce the problem. Here is an example command line invocation of dig to query for CAA records (CAA records have a DNS resource record type of 257):

dig [YOUR DOMAIN NAME] type257 +dnssec

If that command times out, or if you encounter an error (such as a SERVFAIL response code), then this is likely the problem that Trustwave® is encountering when attempting to check for CAA records. However, if your domain has no CAA records configured and you are able to successfully query for CAA records, then the problem may be occurring at a parent domain, so it's important to repeat this process for the parent domains.

As an example, assume that the domain you are requesting a certificate for is "subdomain.example.com" and that there are no CAA records configured. Trustwave® will query the following domains for CAA records:

  1. subdomain.example.com
  2. example.com
  3. com

If any of these domains cannot be queried for CAA records, then Trustwave® cannot issue the certificate.

As another example, assume that the domain you are requesting a certificate for is "subdomain.example.com" and that there is a CAA record permitting issuance for Trustwave® at "example.com". Prior to issuing the certificate, Trustwave® will query the following domains for CAA records:

  1. subdomain.example.com
  2. example.com

Since at least one CAA record was found at "example.com", the search for CAA records stops there ("com" is not queried).



Certificate Analyzer

Once you have completed your certificate installation you can use our instant online troubleshooter to verify your installation and help resolve problems.
Certificate Analyzer→

Go Green