SSL or Secure Sockets Layer (commonly referred as HTTPS) has now become a necessity for protecting your websites whether it is handling any sensitive information or not. An organization needs to install SSL certificate, issued by a Certificate Authority (CA), onto its web server to initiate secure sessions with browsers. After installing SSL certificate, the domain name will reflect as https://www.domain.com, which further describes that the server is establishing a secure connection with the browser. Once a secure connection is established, the web traffic in between the web server and browser will be secure.
Before 8th September 2017, any random CA had the authority to issue an SSL certificate for a website. But, on the mentioned date, the CA/Browser Forum (CAB Forum) issued an all new defined policy for all CAs. According to this policy, to get an SSL certification, as a domain owner, you need to check the Domain Name System (DNS) record which specifies which CA is allowed to issue SSL certificate for your domain. So, now you will be able to determine an authorized CA for the SSL certificate issuance for your domain.
The Certificate Authority Authorization (CAA) DNS records will now decide whether the certificate provider is eligible to issue a secured certification for your domain or not. Let’s know more about CAA from the following.
What is CAA?
CAA or Certificate Authority Authorization is a standard which is designed to protect websites by preventing unauthorized issuance of SSL/TLS digital certificates. CAA records allow domain owners to decide over the authorized certificate authorities which are allowed to issue SSL/TLS certificates for your domain.
What is the need for CAA?
Any organization can get their SSL certificate issued by a CA. The downside to this process is that the SSL certificate can also be issued without the knowledge of the domain owner. This type of SSL certificate issuance does not guarantee any authentication and may not be able to secure your domain, which actually exposes your website to cyber criminals. In such a scenario, attackers can easily obtain access to your domain and misuse the database. At times, cyber criminals can even issue such requests or certificates or verification for the compromised domain using the name of any certificate authority. These unauthorized certificates can further be utilized to launch multiple cyber attacks.
The CAB Forum has now made the CAA record checking process a mandatory requirement as a part of the certificate issuing process, effective from 8th September 2017. It allows domain owners to get an authorized SSL/TLS certificate for their domain. The main goal of issuing this policy is to limit the illegitimate issuance of certificates.
Impact of CAA on SSL certificate issuance:
With the help of CAA DNS records, it is now possible to prevent unauthorized certificates mistakenly issued by an illegitimate CA. By checking the CAA records, you can easily recognize when an unauthorized CA has requested an SSL certificate which is not permitted by the domain owner.
CAA helps in preventing unauthorized certificate issuance by:
- Allowing domain owners to check whether the CA is authorized to issue SSL/TLS certificate for their domain or not.
- By providing authorization to CAs before issuing a certificate.
The outcome of using CAA DNS records for SSL certificates:
Checking CAA records will make it easier for an organization to accomplish a certificate issuance policy across multiple business units. Now, after making CAA record checking a mandate, organizations can now determine a specified set of authorized CAs who can issue SSL certificate for their domain.
This mandatory CAA record checking habit will definitely help in reducing the risks of issuing certificate mistakenly or inappropriately. Moreover, it only allows authorized CAs to issue SSL certificate for your domain and helps in creating a transparent ecosystem for domain owners.
So go ahead and start configuring the CAA value of the domains you own to protect your enterprise.