Authorizing the authority

Photo by Hal Gatewood / Unsplash

I recently discovered that my certificates were not verifying the issuance from my certificate provider after running a certificate grading check on SSL Labs here: SSL Server Test (Powered by Qualys SSL Labs). You will see in the screenshot below that DNS CAA is showing up as a warning to indicate that I as the domain name owner have not specified which companies should be trusted to issue my SSL certificates which I install on services under my domain name. This could lead to the potential for man in the middle attacks with alternative certificates.

This wasn't really a big deal for me as I don't host anything that really requires all of this verification but the perfectionist in me wanted to get as close to an A+ grading as I could possibly get so I began looking into DNS CAA records and what was possible with them. I use Cloudflare for my DNS hosting which has a great user interface that does a really good job with a user-friendly UI to explain things. I created a new DNS record in Cloudflare and determined that I had 2 options for verifying who my DNS provider was and a 3rd option for the SSL certificate providers (LetsEncrypt, DigiCert, Comodo, etc) to send you any violation reports if false certificates are issued under your domain name.

I jumped straight into it with one of my domain names that I use for hosting my Unifi controller and I specified that I trust the LetsEncrypt certificate issuer to sign certificates for this domain name. I've chosen to specify each domain/sub-domain individually but as per the screenshot above, you can see that I can do all domains if this works better for you.

I thought to myself "Why stop at one when I can add them all in right now". I have several domains so decided to add all of them in with the same provider (I love free stuff so obviously LetsEncrypt is amazing and I use them for all my certificates).

Lastly, I decided that I wanted notifications if someone tries to issue certificates from other providers so I went ahead and created a record for all my domain names to email me when a certificate is issued that doesn't match my specified issuance provider.

Finally, I double checked my score on SSL Labs and you can see it's now showing all happy and even tells us who I chose as my issuance provider.

Happy days!

Nathan Gemmill

Nathan Gemmill