Versions Compared

Old Version 3

changes.mady.by.user Susanne Hansch

Saved on

compared with

New Version 4

changes.mady.by.user Susanne Hansch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel
titleColor#FFFFFF
titleBGColor#E44313
titleTable of Contents

Table of Contents
outlinetrue
stylenone

A Certification Authority Authorisation record (CAA) defines the certification authority (CA=Certificate Authority) that is authorized to issue an S/MIME for a domain. This means that no other certification authority can issue an S/MIME for this domain.

Info
titleNew: CAA Records for S/MIME

If the CA GlobalSign is to be authorised to issue an S/MIME, a new property tag called "issuemail" can be set.
By March 2025 at the latest, the CAs DigiCert and Sectigo will also offer the CAA record for S/MIME certificates.

Setting up a CAA record for S/MIME

You can create the CAA records in the DNS settings of the domain.

Domain            RR-TypeValue
example.comCAA0 issuemail „globalsign.com“

The entry in the Value column consists of the following subentries:

Flag: A value between 0-255, used to represent the "critical flag" according to RFC.
Tag: An ASCII string that represents the property. In our case issuemail: Authorizes the CA specified for "value" to issue the certificates

Example according to BIND syntax:
example.com. 300 IN CAA 0 issuemail "globalsign.com"

Overview of the valid values for the certification authorities

To grant authorization to a CA and its product lines:

  • globalsign.com
  • digicert.com und www.digicert.com (TBD)

  • sectigo.com (TBD)

Allow multiple CAs to issue certificates

If several CAs are to be authorized to issue certificates, several CAA records can be entered per domain.

Info

Only the CAs named in the CAA records can issue S/MIMEs.
If certificates are to be issued for other CAs, the unneeded CAA record must be deleted or a new record must be created for the new CA.