book cover

Bulletproof TLS Guide  

Comprehensive and yet concise guide to practical SSL/TLS and PKI configuration. Includes coverage of TLS server configuration and web application security. Written by Ivan Ristić.

1.1.7 Deploy Certification Authority Authorization

Certification Authority Authorization (CAA) is a relatively recent security standard that enables you to restrict what CAs are allowed to issue certificates for your properties. CAA is delivered via DNS. When a new certificate is requested, the CA must look for a CAA policy on the affected hosts and verify that they have permission to proceed. If they don't, the issuance fails.

example.com.  CAA     0 issue "digicert.com"
example.com.  CAA     0 issue "globalsign.com"
example.com.  CAA     0 issue "letsencrypt.org"
example.com.  CAA     0 issue "sectigo.com"

CAA is a very useful addition to the defense arsenal. Even a policy that allows many CAs is helpful as a way of reducing the attack surface, compared to the default, which allows all CAs. Deploying CAA may be difficult in complex environments because a policy set on the domain name applies to all subdomains.

< Prev
^ Table of Contents
Next >