CAA Question - issue / issuewild

joel.wraight · September 22, 2023, 12:52pm

Hi,

I have read through a lot of material but can't see a clear answer anywhere. I think to understand CAA fully you have to read a lot of RFC material. Question:

If I wanted to allow absolutely all certificates to be issued for example.com from both LetsEncrypt & Digicert do I need both 'issue' and 'issuewild' records for both LetsEncrypt & Digicert? I.e.

example.com 0 issue letsencrypt.org
example.com 0 issuewild letsencrypt.org
example.com 0 issue digicert.com
example.com 0 issuewild digicert.com

Some reference material I'm finding seems to suggest 'issue' allows for both wildcard and non-wildcard certificates to be issued?

Would the CAA setup above allow certificates to be issued / validated for "example.com", "wildcard.example.com", "subdomain.example.com" & "subdomain.subdomain.example.com", "wildcard.subdomain.example.com"

Many thanks.

9peppe · September 22, 2023, 12:55pm

yes. unless you override it with a more specific CAA record on a subdomain.

Also yes. If you want to forbid wildcard issuance you can use

example.com 0 issue "letsencrypt.org"
example.com 0 issue "digicert.com"
example.com 0 issuewild ";"

joel.wraight · September 22, 2023, 12:59pm

Thank you. So in other words I can allow absolutely everything for LetsEncrypt & Digicert with the following records:

example.com 0 issue "letsencrypt.org"
example.com 0 issue "digicert.com"

petercooperjr · September 22, 2023, 1:01pm

I think you didn't quite say what you meant, if you want only Digicert & Sectigo then you wouldn't be including Let's Encrypt.

If there are no issuewild entries, then wildcards follow the issue entries. That is, if you have any issuewild at all, then a wildcard has to match them, but if you only have issue entries, then they apply for both wildcard and non-wildcard certs.

Agreed, it (like many things relating to certificates) seems a lot more confusing than it has to be, with lots of cross-references to lots of documents. In this case, the paragraph I think you're looking for is in RFC 8659, section 4.3,

If at least one issuewild Property is specified in the Relevant RRset for a Wildcard Domain Name, each issue Property MUST be ignored when processing a request for that Wildcard Domain Name.

Which is trying to say that wildcards use the issuewild instead of issue, only if there is at least one issuewild property in existance.

joel.wraight · September 22, 2023, 1:02pm

Okay thanks. It was my mistake on the first bit. A typo. I meant to say LetsEncrypt & Digicert. I have edited the original post.

petercooperjr · September 22, 2023, 1:02pm

Yes, that will allow both those CAs to issue any certificates for example.com, regardless of whether it's a wildcard or not.

joel.wraight · September 22, 2023, 1:08pm

Thank you both! Very clear and helpful answers.

9peppe · September 22, 2023, 1:11pm

the edge case might be this one: RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record

wild3.example.com         CAA 0 issuewild "ca2.example.org"
wild3.example.com         CAA 0 issue ";"

MikeMcQ · September 22, 2023, 1:35pm

The previous posts were all helpful. Also, from this page

Is a link to this CAA generator.
https://sslmate.com/caa/

system · October 22, 2023, 1:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.