CAA Checking for SSL Certificates

Nov 21, 2024

CAA Checking for SSL Certificates

Introduction

In line with the CA/B Forum's Ballot 187 - Make CAA Checking Mandatory, GlobalSign implements CAA Checking for SSL Certificates. CAA is validated before issuance of all publicly trusted SSL Certificates, namely: AlphaSSL, DomainSSL, OrganizationSSL, ExtendedSSL, CloudSSL and CloudSSL SAN orders, and upon issuance of MSSL domains. For Domain Validated SSL products, if the CAA is set up incorrectly, you will receive an error during the domain validation steps, if you have purchased a higher validation product then you will be contacted by the verification agent if your DNS CAA record is not compatible with GlobalSign. 

CAA Checking is carried out to improve the strength of the PKI ecosystem with a control to restrict which CAs can issue certificates for a particular domain name. Certificate Authorities will be obligated to check for DNS CAA records and honor those preferences. If no DNS CAA record is present, any CA is allowed to issue a certificate for the domain. If a DNS CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Also, when processing DNS CAA records, GlobalSign will process the issue, issuewild, and iodef property tags as specified in RFC 6844.

Common Errors 

Error Message

Reason

Solution

issuer = other CA

Our system has detected that your DNS CAA records contain, entries, and "globalsign.com" is not one of them.

Add "globalsign.com" in your CAA entries, and try again. Please note that this may take up to an hour to propagate so as to make sure the DNS CAA record cache has been cleared.

servfail

A SERVFAIL response would be returned in one of two cases:

  • We cannot connect to the authoritative DNS server(s) - It’s possible they are behind a firewall, or there's some other routing issue

  • Their servers have returned an error that they are unable to answer that query. No reason is given for the failure.

In the event of a SERVFAIL response, we would recommend that the customer perform some manual testing to see if they get a SERVFAIL directly from their server when doing a lookup against it, and/or use a propagation tool like DNS Checker - DNS Check Propagation Tool to see if the server is generally available globally.

SERVFAIL errors can be transient (e.g. due to a temporary routing issue somewhere between GlobalSign and the customer DNS server, or a service restart or similar). If there are no problems found it's worth trying again.

i/o timeout (non-responsive) The timeout error implies that your nameservers are down. This error can only happen for DNSSEC enabled domains with non-responsive nameservers. 

If you are presented with this error message, please make sure that your nameservers are up and running and externally reachable. 

Please contact your DNS provider to verify what causes the failed response from the DNS server, and work with them to resolve the issue. In case there's a firewall in place, please make sure that this IP address is allowed access to your DNS records: 133.88.7.1 and/or 133.88.7.2. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour.

Overview of CAA Checking for SSL

What is CAA Checking?

CAA (Certificate Authority Authorization) Checking is a control to restrict which CAs can issue certificates for a particular domain name. By configuring the DNS CAA record, domain owners can specify which Certification Authorities are authorized to issue certificates to that domain name. There are 2 different ways to modify your DNS CAA records. Please refer to the following guidelines below: 

  1. How to add DNS CAA record in a hosted DNS
  2. How to add DNS CAA record to a DNS zone file

Note: If you have any issues or questions whether CAA is supported with your setup, contact your DNS manager for further details. 

How does it work?

Domain owners create DNS CAA records that list the CAs they permit to issue certificates to the domain. If a domain has a DNS CAA record, only the CAs listed in the record(s) are allowed to issue certificates for that domain. If no DNS CAA record is present, any CA is allowed to issue certificates for that domain name.

Why is it needed?

Previously, any CA can issue a certificate for any domain name, which makes the PKI ecosystem vulnerable. Hence, the CA/Browser Forum through Ballot 187, made the CAA Checking mandatory to improve the strength of the PKI system. 

What happens to the SSL certificates I already have?

This change doesn't affect existing SSL certificates. However, for new, reissues, and renewals, if a domain has a DNS CAA record(s) and none of those records contained globalsign.com as a permitted issuer, then GlobalSign would be prohibited from reissuing a certificate to that domain (or subdomain).
Your DNS CAA record should contain "globalsign.com" as shown below. 
CAA.jpg

References

1. Ballot 187 - Make CAA Checking Mandatory
2. Baseline Requirements
3. DNS Certification Authority Authorization (CAA) Resource Record
4. What is the CA/Browser Forum and What is its Role in Internet Security

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support