Configure the CAA record. It's worth

Configure the CAA record. It's worth

13-11-2017 11:28:32

On September this year we have talked about the obligation for SSL certificate issuers to verify the CAA in client DNS records requesting SSL since September 8, 2017. If you are a webmaster now, there is an additional tool in your hands to protect you from invalid certificate issuance.

Low CAA popularity

Due to the buzz around the CAA in 2017, the number of deployments has increased significantly. SSL Pulse reports that the number of sites using CAA has doubled since September 2017, and has grown more than tenfold over the year. Even with this growth rate, only a few thousand websites use CAA, which is still a niche security mechanism ...

Why deploy CAA?

CAA is not just a safety mechanism. In addition to minimizing risk by limiting CAs certification to issuing certificates for your domain, CAA is also a useful tool for enforcing corporate policies related to SSL certificates. Many organizations are struggling to comply with their SSL purchase and deployment policies. This is particularly important in large organizations with many offices or branches.
If someone in your business creates a new service in your domain and requests a certificate, he or she will be able to use a limited list of approved offices. You can also set up a reporting URL or email address to receive notifications from CAs when they receive a request they can not fulfill.

How to implement a CAA record

Since most admins have not yet implemented the CAA, we have prepared a brief manual. CAA is a fairly easy-to-use mechanism and involves a significantly lower risk of configuration or operational errors than other mechanisms such as HSTS or HPKP. There is a technical precondition for using CAA. If you are using managed DNS, the provider must add CAA support because it is a new DNS resource record.
  • Specify which CA (Offices) are used by your organization. Create a list. If the list is to include "up to" 10 Offices it's still worth it;
  • Use list to enter CA to CAA record;
  • You can always update your CAA record if you want to change the list of Certification Authorities
  • Create a CAA DNS record.

Sample CAA record

A record that would allow DigiCert to issue certificates for a site:
yourdomain.com. CAA 0 issue "digicert.com"
This record would apply to all subdomains in the domain. If you want to authorize additional CAs, a new line will be created for each CA.

Последние сообщения

Google AdWords requires an SSL certificate?
03-07-2017 11:56:53

If you run a online business, you are sure to use Google AdWords. Perhaps this is one of the main traffic sources on your site, so the last message you want to see is "Your account has been suspended ...". And yet, you can expect it if your site is not SSL-secured.

Google AdWords requires an SSL certificate?
Comodo and DomenySSL are deprecating SGC
06-07-2016 13:23:42

Starting 1st of August 2016, Comodo and DomenySSL will no longer offer SGC variants of certificates. As your account has a valid SGC certificate which will be up for renewal in the future, the company has prepared a list of recommended alternatives.

Comodo and DomenySSL are deprecating SGC
Thawte pampers clients
04-07-2016 12:22:58

Thawte is only one of the few vendors outside of the United States. As the main competitor of American vendors quickly gained a 40 % share of the market SSL certificates.

Thawte pampers clients
больше записей