CAA Records: Who Is Allowed to Issue Certificates for Your Domain?

Part 8 of the series "EU Web Security: 10 Steps to a Better Rating"

The Problem

There are hundreds of certificate authorities (CAs) worldwide. Every single one can issue a valid TLS certificate for any domain — unless a CAA record explicitly says: "only this CA".

Without CAA: An attacker who compromises any CA (or uses one in a jurisdiction with minimal oversight) can issue a valid certificate for your-domain.com. Browsers accept it without warning.

With CAA: The CA checks the CAA record before issuance. If it is not listed, it refuses.

CAA adoption in the EU: 3%. 97% of domains blindly trust every CA in the world.

How to Set Up CAA

A CAA record is a DNS entry (type CAA):

your-domain.com. IN CAA 0 issue "letsencrypt.org"
your-domain.com. IN CAA 0 issuewild ";"
your-domain.com. IN CAA 0 iodef "mailto:security@your-domain.com"

• issue "letsencrypt.org" — only Let's Encrypt may issue standard certificates
• issuewild ";" — no one may issue wildcard certificates
• iodef "mailto:..." — notification on policy violations

Allowing Multiple CAs

your-domain.com. IN CAA 0 issue "letsencrypt.org"
your-domain.com. IN CAA 0 issue "digicert.com"

Provider-Specific CA Names

Common Mistakes

1. Setting CAA without knowing which CA issued the current certificate. Check first: openssl s_client -connect your-domain.com:443 | openssl x509 -noout -issuer. Add that CA to your record.

2. Forgetting wildcards. issuewild is separate from issue. Without an explicit issuewild, any CA can issue a wildcard certificate — even if issue is restricted.

3. Ignoring subdomains. CAA is inherited hierarchically. A record on your-domain.com also applies to www.your-domain.com — unless the subdomain has its own CAA record.

Check Your Domain

https://siteguardian.io/scan

Next week in Part 9: Cookie Compliance — pre-consent cookies, third-party transfers, and what CNIL, AEPD, and the CJEU have to say about it.