2021-02-27

What's the ideal way to handle SSL Subject Alternative Names in a CAA record?

Suppose I want to request an SSL certificate from "Example CA" with the following domain names on it:

  • Subject Name: foocorp.com
  • Subject Alt Name: www.foocorp.com
  • Subject Alt Name: images.foocorp.com
  • Subject Alt Name: foocorp.net
  • Subject Alt Name: *.foocorp.net
  • Subject Alt Name: foocorp.biz
  • Subject Alt Name: *.foocorp.biz

If I wanted to implement CAA for this certificate, I could see a few ways to construct the DNS records to permit issuance. But it's not immediately clear if each method will work correctly for each domain. Here are the variants I've considered, and my thinking for each.

#1: Only implement the record for the domain listed as the Subject Name. If that's all the CA checks, that's all we need:

foocorp.com.    IN    CAA    0 issue "ca.example.com"

I have a sneaking suspicion that this won't work, and we have to add CAA records to everything listed in the SAN list for the certificate to be issued. If that's indeed the case, I suppose this won't work.

#2: List each domain as wild, and don't worry about any of the subdomains:

foocorp.com.    IN    CAA    0 issuewild "ca.example.com"
foocorp.net.    IN    CAA    0 issuewild "ca.example.com"
foocorp.biz.    IN    CAA    0 issuewild "ca.example.com"

This feels like the simplest approach that could work, although I'm not sure if I would have to re-specify any records using issue to allow issuance to the apex domains.

#3: Meticulously match the CAA records with the structure of the certificate:

foocorp.com.           IN    CAA    0 issue "ca.example.com"
www.foocorp.com.       IN    CAA    0 issue "ca.example.com"
images.foocorp.com.    IN    CAA    0 issue "ca.example.com"
foocorp.net.           IN    CAA    0 issue "ca.example.com"
foocorp.net.           IN    CAA    0 issuewild "ca.example.com"
foocorp.biz.           IN    CAA    0 issue "ca.example.com"
foocorp.biz.           IN    CAA    0 issuewild "ca.example.com"

This seems like a real pain in the butt to manage. As with option #2, it's not clear to me if issue+issuewild is over-specified and we could make do with keeping only one of them.

What's the best way to construct the CAA records for this situation?



from Recent Questions - Stack Overflow https://ift.tt/3dPmG3s
https://ift.tt/eA8V8J
Posted by on
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)