In line with the CA/B Forum's Ballot 187 - Make CAA Checking Mandatory, GlobalSign will implement CAA Checking for SSL Certificates starting August 28, 2017. As such, CAA will be validated as part of the domain vetting, during the ordering process for all publicly trusted SSL Certificates namely: AlphaSSL, DomainSSL, OrganizationSSL, ExtendedSSL, CloudSSL and CloudSSL SAN's orders, and upon issuance of MSSL domains. For Domain Validated SSL products, if the CAA is set up incorrectly then you will encounter a warning during the domain validation steps, if you have purchased a higher validation product then you will be contacted by the verification agent if your DNS CAA record is not compatible with GlobalSign.
This change is carried out to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates for a particular domain name. The CA/Browser Forum recently voted to mandate CAA support as part of the Baseline Requirements. Certificate Authorities will be obligated to check for DNS CAA records and honor those preferences. If no DNS CAA record is present, any CA is allowed to issue a certificate for the domain. If a DNS CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Also, when processing DNS CAA records, GlobalSign will process the issue, issuewild, and iodef property tags as specified in RFC 6844.
|August 28, 2017||GlobalSign implements CAA Checking for SSL|
|September 08, 2017||CAB Forum deadline for CA adoption of CAA Checking for SSL|
|October 11, 2017||GlobalSign implements CAA Checking logic updates|
issuer = other CA
Our system has detected that your DNS CAA records contain, entries, and "globalsign.com" is not one of them.
Add "globalsign.com" in your CAA entries, and try again. Please note that this may take up to an hour to propagate so as to make sure the DNS CAA record cache has been cleared.
|This issue stems from a DNSSEC validation chain failure. It could be that your domain zone is not signed, or is incorrectly signed.||
You can try to use a DNSSEC debugger to address the problem. If you have multiple nameservers, or master and slave nameservers, please make sure that all nameservers have the correct DNSKEY and RRSIGs.
Please contact your DNS provider to verify what causes the error, and work with them to resolve the issue. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour.
|i/o timeout (non-responsive)||The timeout error implies that your nameservers are down. This error can only happen for DNSSEC enabled domains with non-responsive nameservers.||
If you are presented with this error message, please make sure that your nameservers are up and running and externally reachable.
Please contact your DNS provider to verify what causes the failed response from the DNS server, and work with them to resolve the issue. In case there's a firewall in place, please make sure that this IP address is allowed access to your DNS records: 18.104.22.168. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour.
Overview of the CAA Checking for SSL
What is CAA Checking?
CAA (Certificate Authority Authorization) Checking is a control to restrict which CAs can issue certificates for a particular domain name. By configuring the DNS CAA record, domain owners can specify which Certification Authorities are authorized to issue certificates to that domain name. There are 2 different ways to modify your DNS CAA records. Please refer to the following guidelines below:
Note: If you have any issues or questions whether CAA is supported with your setup, contact your DNS manager for further details.
How does it work?
Domain owners create DNS CAA records that list the CAs they permit to issue certificates to the domain. If a domain has a DNS CAA record, only the CAs listed in the record(s) are allowed to issue certificates for that domain. If no DNS CAA record is present, any CA is allowed to issue certificates for that domain name.
Why is it needed?
Previously, any CA can issue a certificate for any domain name, which makes the PKI ecosystem vulnerable. Hence, the CA/Browser Forum through Ballot 187, made the CAA Checking mandatory to improve the strength of the PKI system.
What happens to the SSL certificates I already have?
This change doesn't affect existing SSL certificates. However, for new, reissues, and renewals, if a domain has a DNS CAA record(s) and none of those records contained globalsign.com as a permitted issuer, then GlobalSign would be prohibited from reissuing a certificate to that domain (or subdomain).
Your DNS CAA record should contain "globalsign.com" as shown below.
1. Ballot 187 - Make CAA Checking Mandatory
2. Baseline Requirements
3. DNS Certification Authority Authorization (CAA) Resource Record
4. What is the CA/Browser Forum and What is its Role in Internet Security