CA, CAA and CT in Cloudflare

There’s a lot of acronyms there, so I guess I should start by explaining what I’m talking about!

Certificate Authority (CA)

A Certificate Authority (CA) is where you go in order to get the certificate for your website, whatever flavour you prefer.  They have the power to generate a certificate for any domain, which is why they (should!) perform tests to ensure that you do actually own the domain before issuing.  But there’s always the risk of a mis-issuance.

Certificate Authority Authorization (CAA)

Certificate Authority Authorization (CAA) is a way of telling the world (and therefore all of the CAs) which CAs are authorised to issue certificates for your domain.  These are DNS records which are added, of type CAA, and list which domains can issue root and/or wildcard certificates.  Of course a rogue CA could still ignore this, but they would be heavily penalised for doing so.

Certificate Transparency (CT)

Certificate Transparency (CT) is a way of viewing all certificates that have been issued.  When a CA creates a new certificate, it must be logged in the CT logs.  If it is not, then the browser will not consider the certificate to be valid.  This means that even if a rogue CA was to issue a certificate, ignoring your CAA, they would have to add a CT log for it to be valid, and you can monitor and be notified of this, so at least you know. Facebook has a great tool for this.


So we’ve determined that having CAA is a good idea, it should reduce the risk of another CA mis-issuing a certificate for your domain, but how do we do it?  Well my site uses the Universal SSL feature of Cloudflare, and they say that you don’t need to configure the CAA records in this case, as they do it automatically.  However, when I used the server test on SSL Labs (great tool, by the way!) it said that I didn’t have any CAA records.

I posted on Twitter and got a response from Troy Hunt, but he thought they should be added automatically as well, I think…

After digging a bit deeper, I found an FAQ on Cloudflare that listed the 6 CAA records that they add, covering the 3 CAs that they use.  So I went to the “DNS” tab in Cloudflare and entered them manually… IN CAA 0 issue “” IN CAA 0 issue “” IN CAA 0 issue “” IN CAA 0 issuewild “” IN CAA 0 issuewild “” IN CAA 0 issuewild “” IN CAA 0 iodef ""

As you can see, there’s actually 7 CAA records listed there. I also added a “Send violation reports to URL” entry as well (iodef) which can be HTTP, HTTPS or MAILTO, and in my case, I’ve gone for MAILTO.

Now when I run the server test on SSL Labs I get a lovely green box which says “DNS Certification Authority Authorization (CAA) Policy found for this domain.”, which makes me very happy!

HSTS preloading

For a while now, my website has been using HSTS.  HSTS stands for HTTP Strict Transport Security, and essentially it’s a response header that your server sends back with your website to tell that browser that in future, this page should always be requested securely (via HTTPS).  I talked about it briefly last year in…

Sonarwhal via the command line

I recently posted about Testing your website with sonarwhal, a great dynamic analysis tool that you can simply enter your website address into, and they’ll scan and return a report. What I failed to mention (shame on me) is that you can also run this tool via the command line.  That’s right, they’re on npm as sonarwhal too. Install It’s…

Testing your website with sonarwhal

Yesterday I was watching a great Pluralsight course called Play by Play: Javascript Security by Troy Hunt and Aaron Powell.  In this course they discuss a number of security related things, including auth tokens, caching, service workers, third-party library vulnerabilities and client-side validation.  Aaron also introduced me to a tool that I hadn’t heard of before, called sonarwhal. If you’re…

Updating npm to latest version

Recently I had some trouble updating npm to the latest version on Windows, which was driving me crazy until a StackOverflow thread pointed me in the right direction.  Unfortunately I can’t find the thread again, but as this was just a passing comment and not an answer, I thought it would be worth immortalising it here. By…