Home Books Training Newsletter Resources
Sign up Log in
book cover

Bulletproof TLS Guide  

Comprehensive and yet concise guide to practical SSL/TLS and PKI configuration. Includes coverage of TLS server configuration and web application security. Written by Ivan Ristić.


1.1.7 Deploy Certification Authority Authorization

Certification Authority Authorization (CAA) is an evolving security standard that enables you to restrict what CAs are allowed to issue certificates for your properties. CAA is delivered via DNS. When a new certificate is requested, the CA must look for a CAA policy on the affected hosts and verify that they have permission to proceed. If they don't, the issuance must fail.

In the following example configuration, Let’s Encrypt is allowed to issue nonwildcard certificates (issue), DigiCert and Entrust are allowed to issue wildcard certificates (issuewild), no CA is allowed to issue S/MIME certificates (issuemail), and there is an advertized email address to use to report issuance problems (iodef):

example.com.  CAA     0 issue "letsencrypt.org"
example.com.  CAA     0 issuewild "digicert.com"
example.com.  CAA     0 issuewild "entrust.com"
example.com.  CAA     0 issuemail ";"
example.com.  CAA     0 iodef "pki@example.com"

CAA is a very useful addition to the defense arsenal. Even a policy that allows many CAs is helpful as a way of reducing the attack surface, compared to the default, which allows all CAs. Deploying CAA may be difficult in complex environments because a policy set on the apex domain name automatically applies to all subdomains. Having a list of all existing certificates for an entire domain name space (including subdomains) is very helpful for establishing which CAs should be on your list. A good PKI monitoring tool will provide this list.

If you’re operating a very secure environment, restricting issuance down to a CA level may not be sufficient. For a better approach, work with CAs that support CAA account binding. With this feature, you will be locking issuance to specific accounts operated by your CAs.

< Prev
^ Table of Contents
Next >
@feistyduck

Books

  • Bulletproof TLS and PKI
  • ModSecurity Handbook
  • OpenSSL Cookbook

Training

  • Practical TLS and PKI

Resources

  • Newsletter
  • SSL/TLS and PKI History
  • Archived Books
  • Bulletproof TLS Guide

Company

  • Support
  • Website Terms of Use
  • Terms and Conditions
  • Privacy Policy
  • About Us