More
Configure the CAA record. It's worth

Configure the CAA record. It's worth

13-11-2017 11:28:32

On September this year we have talked about the obligation for SSL certificate issuers to verify the CAA in client DNS records requesting SSL since September 8, 2017. If you are a webmaster now, there is an additional tool in your hands to protect you from invalid certificate issuance.

Low CAA popularity

Due to the buzz around the CAA in 2017, the number of deployments has increased significantly. SSL Pulse reports that the number of sites using CAA has doubled since September 2017, and has grown more than tenfold over the year. Even with this growth rate, only a few thousand websites use CAA, which is still a niche security mechanism ...

Why deploy CAA?

CAA is not just a safety mechanism. In addition to minimizing risk by limiting CAs certification to issuing certificates for your domain, CAA is also a useful tool for enforcing corporate policies related to SSL certificates. Many organizations are struggling to comply with their SSL purchase and deployment policies. This is particularly important in large organizations with many offices or branches.
Example
If someone in your business creates a new service in your domain and requests a certificate, he or she will be able to use a limited list of approved offices. You can also set up a reporting URL or email address to receive notifications from CAs when they receive a request they can not fulfill.

How to implement a CAA record

Since most admins have not yet implemented the CAA, we have prepared a brief manual. CAA is a fairly easy-to-use mechanism and involves a significantly lower risk of configuration or operational errors than other mechanisms such as HSTS or HPKP. There is a technical precondition for using CAA. If you are using managed DNS, the provider must add CAA support because it is a new DNS resource record.
  • Specify which CA (Offices) are used by your organization. Create a list. If the list is to include "up to" 10 Offices it's still worth it;
  • Use list to enter CA to CAA record;
  • You can always update your CAA record if you want to change the list of Certification Authorities
  • Create a CAA DNS record.

Sample CAA record

A record that would allow DigiCert to issue certificates for a site:
 
yourdomain.com. CAA 0 issue "digicert.com"
 
This record would apply to all subdomains in the domain. If you want to authorize additional CAs, a new line will be created for each CA.
 
 

Recent Posts

Comodo / Sectigo is changing its Root CAs
28-12-2018 11:23:52

Sectigo, formerly known as Comodo CA, is entering the next phase of its transition: it’s replacing Comodo CA roots with USERTrust roots on January 14, 2019. Why it happens and what it will mean to Sectigo customers?

Comodo / Sectigo is changing its Root CAs
Comodo is now Sectigo
09-11-2018 12:54:30

According to previous announcements, a year after the acquisition of Comodo Group by Francisco Partners, on November 1 Comodo CA announced that from now on it is changing its brand to Sectigo [pronounced. sec-tee-go]. The goal of rebranding is consistency in company communication and better dedication to what Comodo is doing now.

Comodo is now Sectigo
European Cyber Security Month 2018
27-09-2018 10:46:21

The European Union Agency for Network and Information Security (ENISA), which is the center of knowledge about cyber security in Europe, organizes as every year in October the European Cyber Security Month. The campaign is starting in a few days. What is its purpose and how can you participate in it?

European Cyber Security Month 2018
more posts

cyber_Folks S.A. – Cookie settings

Do you like good cookies? We too! Some cookies are required for the website to function properly. Also accept additional cookies related to service performance, social networking and marketing. Cookies are also used to personalize ads. Thanks to them, you will get the best experience of our website, which we are constantly improving. The consent granted voluntarily may be withdrawn or modified at any time. More information about the cookies used can be found in our privacy policy. If you prefer to specify your preferences precisely - see the types of cookies below.

Functional (always active)

These are cookies that are necessary for the website to function. The website will not function fully properly without accepting these types of cookies. Example: A cookie that saves your consent or objection is needed so that we know if we have your consent for certain actions on the website, they will also allow you to log in to the Customer Panel, place an order or contact us via chat.

Analytical and performance

They will make it possible to collect information on how to use the website. These files will allow us to count visits and traffic sources to our site, so we can measure and improve its performance, as well as find out which pages are the most and least popular, and understand how visitors navigate our site. They help us analyze website performance and collect synthetic information. Example: We can make heatmaps, so we know which content is readable and which is not, and this allows for better website design. Thanks to them, we can also see which blog entries were read more often and which less often, which allows us to develop more interesting content. The main tool we use is Google Analytics.

Social

It is social platform cookies that will enable you to be associated with your social media accounts. You can share content from our website there. Social network files (from third parties, such as Facebook) collect information to provide personalized advertising content. For example: Ads on your social media are better suited to you and you reduce the chance of seeing excess ads for already purchased services or products.

Marketing

These are files related to the operation of marketing automation systems and ad accountability. Thanks to them, we limit, for example, the number of views of a given advertisement. They also allow us to perform comparative tests, thanks to which we constantly improve the operation of our website. By testing multiple page layouts, it is easier to get one that provides the best readability for users. Communication also becomes more personalized. For example, we may give you an article on how to find a domain name when we see that you are looking for a domain and it is difficult for you to find a suitable name. We can also, for example, show you a hint about logging in, if we see several unsuccessful attempts in a row. Based on the information from these cookies and activity on other websites, your interest profile is built. We mainly use the Google and Facebook advertising network.