There’s a lot of acronyms there, so I guess I should start by explaining what I’m talking about!
Certificate Authority (CA)
A Certificate Authority (CA) is where you go in order to get the certificate for your website, whatever flavour you prefer. They have the power to generate a certificate for any domain, which is why they (should!) perform tests to ensure that you do actually own the domain before issuing. But there’s always the risk of a mis-issuance.
Certificate Authority Authorization (CAA)
Certificate Authority Authorization (CAA) is a way of telling the world (and therefore all of the CAs) which CAs are authorised to issue certificates for your domain. These are DNS records which are added, of type CAA, and list which domains can issue root and/or wildcard certificates. Of course a rogue CA could still ignore this, but they would be heavily penalised for doing so.
Certificate Transparency (CT)
Certificate Transparency (CT) is a way of viewing all certificates that have been issued. When a CA creates a new certificate, it must be logged in the CT logs. If it is not, then the browser will not consider the certificate to be valid. This means that even if a rogue CA was to issue a certificate, ignoring your CAA, they would have to add a CT log for it to be valid, and you can monitor and be notified of this, so at least you know. Facebook has a great tool for this.
Cloudflare
So we’ve determined that having CAA is a good idea, it should reduce the risk of another CA mis-issuing a certificate for your domain, but how do we do it? Well my site uses the Universal SSL feature of Cloudflare, and they say that you don’t need to configure the CAA records in this case, as they do it automatically. However, when I used the server test on SSL Labs (great tool, by the way!) it said that I didn’t have any CAA records.
I posted on Twitter and got a response from Troy Hunt, but he thought they should be added automatically as well, I think…
I'm confused (not hard). @Cloudflare says that they include CAA records when using Universal SSL, but when I test my site @ssllabs says there's no CAA. Where am I going wrong? @troyhunt @Scott_Helme
— Rik Lewis (@rik_lewis) June 28, 2018
After digging a bit deeper, I found an FAQ on Cloudflare that listed the 6 CAA records that they add, covering the 3 CAs that they use. So I went to the “DNS” tab in Cloudflare and entered them manually…
rik.onl. IN CAA 0 issue “comodoca.com”
rik.onl. IN CAA 0 issue “digicert.com”
rik.onl. IN CAA 0 issue “globalsign.com”
rik.onl. IN CAA 0 issuewild “comodoca.com”
rik.onl. IN CAA 0 issuewild “digicert.com”
rik.onl. IN CAA 0 issuewild “globalsign.com”
rik.onl. IN CAA 0 iodef "mailto:[email protected]"As you can see, there’s actually 7 CAA records listed there. I also added a “Send violation reports to URL” entry as well (iodef) which can be HTTP, HTTPS or MAILTO, and in my case, I’ve gone for MAILTO.
Now when I run the server test on SSL Labs I get a lovely green box which says “DNS Certification Authority Authorization (CAA) Policy found for this domain.”, which makes me very happy!