Don't let just "anyone" issue a certificate for your domain!

If you run your website, you probably secure it with HTTPS (if not, you really should). And if you’re techy and smart, you’re using Let’s Encrypt to do so.

This would mean that Let’s Encrypt is your CA (Certificate Authority). In our example they are the ones issuing a certificate for you. But you could use any CA to get you a certificate. This means anyone can issue a certificate for your domain.

This has been abused in the past, by having a bad CA issue a certificate it shouldn’t have, which was then used for successful MITM (man in the middle) attacks.

Meet CAA!

With CAA (Certification Authority Authorization), you can specify which CA may issue a certificate for your domain. Any good CA will respect this record (they are expected to do so), and if they are not listed will refuse to issue a certificate altogether. This helps to avoid such attacks.

In our example where we are using Let’s Encrypt, we don’t want anyone other than Let’s Encrypt to issue a certificate for us!

Each CA has a domain name that can be used for the CAA DNS record.

For Let’s Encrypt the domain name for the CAA is letsencrypt.org. So to make sure only Let’s Encrypt issues a certificate for us, we’d create a new DNS record of type CAA, which then points to letsencrypt.org.

The record might look something like the following:

example.org. CAA 128 issue "letsencrypt.org"

Creating the record with your DNS provider

If you use Cloudflare as your DNS server provider as I do, you’d simply create a new DNS record and choose the type “CAA” and enter “@” in the “name” field and “letsencrypt.org” in the “CA domain name” field. Note if you choose to only allow specific hostnames, you won’t be able to get a wildcard certificate. But maybe you should ask yourself if a wildcard certificate is what you really need. In most cases you don’t. If you don’t know what a wildcard certificate is, you probably don’t need to worry. :)

Repeat the setup for each subdomain, replacing “@” with your subdomain like for e.g. “www”.

The exact setup might vary across providers, but it’s similar in general. If your provider does not support CAA, you might want to switch to a new DNS provider. You can do so without having to move your hosting or domain provider. I can recommend Cloudflare, and the proxying is of course optional. I use them for DNS-only in some cases.

A note on Cloudflare

If you are using Cloudflare as proxy/firewall then you do NOT want to add a CAA record as stated in their documentation. This is because in such case Cloudflare sits in front of your server, issuing the certificate for you that is then used “towards the outside world”.

Conclusion

Setting up CAA for your domain(s) is quick and easy and helps to secure your website further. You should set it up right now!

External Links

Further reading on securing your site