Skip to main content
banner image
venafi logo

Certificate Authority Authorization (CAA) Checking to Become Mandatory in September 2017

Certificate Authority Authorization (CAA) Checking to Become Mandatory in September 2017

CAA checking
July 26, 2017 | David Bisson

Certificate authorities (CAs) and web browsers voted overwhelmingly in favor of a ballot to make certificate authority authorization (CAA) checking valid, an adopted motion which is set to take effect in September 2017.

In March 2017, CAs, web browsers, and other organizations involved with the CA/Browser Forum voted on Ballot 187. This motion received full support from Mozilla, Google, and Apple. Additionally, it gained 94 percent of participating CAs' votes. (Sertifitseerimiskeskus opposed the measure, whereas Actalis abstained.)

The now-passed Ballot 187 will make CAA checking mandatory beginning on 8 September 2017. Certification Authority Authorization allows domain owners to specify in their Domain Name Servers (DNS) which CAs are authorized to issue certificates for that domain. They can do this by creating a CAA record with an issuer domain name, an identifier which every CA includes in its certification practice statement (CPS) of how it issues and manages public key certificates. Domain owners can then add those records to their DNS or DNS Security (DNSSec).

How some cybercriminals are bypassing CAs and getting TLS certificates on the Dark Web. Find out more. 

Domain owners can use CAA records to protect themselves against bad actors. Bruce Morton, director of certificate technology and standards at Entrust, elaborates on this point:

"CAA may be the best way to protect domain owners from having fraudulent certificates issued in their domain name. This has become increasingly important with the proliferation of unauthorized DV certificates."

Short for "domain validated" digital files, DV certificates are the most common type of SSL certificate that require verification using only their domain name. Domain owners can complete this validation process by confirming the email listed in the domain's WHOIS record or by placing a verification file on the website. Attackers can easily pass this verification process by hacking a site administrator's email account, for example, or stealing the login credentials for a domain. To protect against such nefarious activity and establish a deeper level of trust with web users, some domain owners opt for additional verification by achieving an organization validated (OV) or extended validation (EV) certificate.

Continuously monitor your encryption environment for rogue certificates. Learn how. 


CAA augments security for domain owners with its support of three properties: "issue," which permits a CA to issue certificates; "issuewild," which allows a CA to issue only a wildcard certificate; and "iodef," which establishes a means by which a CA can report requests that violate a CAA record policy. These rules stipulate that CAs can't issue a new certificate unless the certificate request matches exactly with an existing CAA record or if a limited type of CPS exception applies. As such, domain owners can use CAA records and their three properties to protect their entire domain or specific hostnames. They can also use them to control single-name certificates, wildcard certificates, or both.

In preparation for Ballot 187's implementation in September 2017, domain owners should protect themselves with CAA records by referring to RFC 6844. For added security, they should invest in a solution that continuously monitors their encryption environment's keys and certificates. Such a tool should, among other things, automatically generate notifications if and when it discovers a rogue certificate.

Learn more about machine identity management. Explore now.


Like this blog? We think you will love this.
 Bild eines verärgerten jungen Mannes, der mit dem Kopf in der Hand auf seinen Computerbildschirm starrt
Featured Blog

Erneuerung, Neuausstellung, Widerruf – so vereinfachen Sie das Zertifikatsmanagement

Nachfolgend finden Sie einige Informationen zu jedem dieser Verfahren.  

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more