Menu

CAA Checking for S/MIME Certificates

May 21, 2024

Introduction


CAA Checking is carried out to improve the strength of the PKI ecosystem with a control to restrict which CAs can issue certificates for a particular domain name. Certificate Authorities will be obligated to check for DNS CAA records and honor those preferences. If no DNS CAA record is present, any CA is allowed to issue a certificate for the domain. If a DNS CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Also, when processing DNS CAA records, GlobalSign will process the issuemail property tags as specified in RFC 9495: Certification Authority Authorization (CAA) Processing for Email Addresses (rfc-editor.org) 

Common Errors  

Error Message  Reason  Solution 
issuer = other CA 
 
Our system has detected that your DNS CAA records contain, entries, and "globalsign.com" is not one of them. 

 
Add "globalsign.com" in your CAA entries, against “issuemail” property tag, and try again. Please note that this may take up to an hour to propagate so as to make sure the DNS CAA record cache has been cleared. 

 
servfail 
This issue stems from a DNSSEC validation chain failure. It could be that your domain zone is not signed, or is incorrectly signed.  

 
You can try to use a DNSSEC Debugger to address the problem. If you have multiple nameservers, or master and slave nameservers, please make sure that all nameservers have the correct DNSKEY and RRSIGs.  
Please contact your DNS provider to verify what causes the error, and work with them to resolve the issue. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour. 
Note: This DNS Debugger is not managed by GlobalSign. If you have issues using the tool, please contact them directly. 

 
i/o timeout (non-responsive) 
The timeout error implies that your nameservers are down. This error can only happen for DNSSEC enabled domains with non-responsive nameservers.  

 
If you are presented with this error message, please make sure that your nameservers are up and running and externally reachable.  
Please contact your DNS provider to verify what causes the failed response from the DNS server, and work with them to resolve the issue. In case there's a firewall in place, please make sure that this IP address is allowed access to your DNS records: 133.88.7.1 and/or 133.88.7.2. When your DNS server is properly set up, you can try again to verify your order. Please note that CAA check responses are cached for a maximum of one (1) hour. 
     

 

What is CAA Checking? 
 

CAA (Certificate Authority Authorization) Checking is a control to restrict which CAs can issue certificates for a particular domain name. By configuring the DNS CAA record, domain owners can specify which Certification Authorities are authorized to issue certificates to that domain name.
 
Note: If you have any issues or questions whether CAA is supported with your setup, contact your DNS manager for further details.  

How does it work? 
 

Domain owners create DNS CAA records that list the CAs they permit to issue certificates to the domain. If a domain has a DNS CAA record, only the CAs listed in the record(s) are allowed to issue certificates for that domain. If no DNS CAA record is present, any CA is allowed to issue certificates for that domain name. 

What happens to the S/MIME certificates I already have? 
 

This change doesn't affect existing S/MIME certificates. However, for new, reissues, and renewals, if a domain has a DNS CAA record(s) against “issuemail” property tag, and none of those records contained globalsign.com as a permitted issuer, then GlobalSign would be prohibited from reissuing a certificate to that domain (or subdomain). 
Your DNS CAA record should contain "globalsign.com" as shown below.  
 
globalsign.com@8.8.4.4 (Default): 
 
globalsign.com            299          IN         CAA        0 issuemail “globalsign.com” 

Guidelines 
 

DNS Services all have their own management interfaces and ways to add DNS CAA records. As such, you have to contact your DNS manager for details. However, we have listed the available guidelines below for your reference.  
 
How to add update and remove a DNS CAA Record 
 
Please refer to this external article for more information : please use “issuemail” tag and set globalsign.com against this. 

 
https://support.dnsimple.com/articles/manage-caa-record/ 

 

 

Related Articles

Enterprise PKI Admin Guide

Mar 2, 2020, 5:27 AM

Enterprise PKI is a platform that provides instant issuance of multi-functional digital certificates through pre-vetted company profiles. Certificates issued through ePKI can be used for document signing...

Read More

RSASSA-PSS Signing Algorithm Support

Mar 2, 2020, 6:28 AM

GlobalSign supports the RSASSA-PSS signing algorithm for all S/MIME Certificates issued via Enterprise PKI (effective October 29, 2018).

Read More

Reissue EPKI Certificates

Feb 11, 2020, 11:54 AM

Read More

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support

Contact Us
close
Sales: 1-877-775-4562
Support: 1-877-775-4562
E-Mail: sales-us@globalsign.com