CAA Effective Policy Checker

Check effective CAA (Certificate Authority Authorization) policies by walking up the domain label chain. Determine which Certificate Authorities are authorized to issue certificates for a domain.

CAA Examples

CAA Policy Check

Domain Name

Understanding CAA Records

CAA Record Format

flag tag "value"

Flag: 0 (non-critical) or 128 (critical)
Tag: issue, issuewild, or iodef
Value: CA domain or contact information

CAA Tags

issue: Authorizes a CA to issue certificates for the domain

issuewild: Authorizes a CA to issue wildcard certificates

iodef: Specifies a URL/email for incident reporting

CAA Lookup Process

Check for CAA records at the requested domain
If none found, check the parent domain
Continue up the tree until CAA records are found
If no CAA records exist, any CA can issue certificates

Common CAA Examples

0 issue "letsencrypt.org" Allow Let's Encrypt to issue certificates

0 issuewild ";" Prohibit wildcard certificate issuance

0 iodef "mailto:[email protected]" Report policy violations to security team

NetoStack

CAA Effective Policy Checker

CAA Examples

github.com

www.google.com

api.stripe.com

blog.cloudflare.com

microsoft.com

amazon.com