CAA-Records with ISPConfig 2

Requirements: ISPConfig >= 3.1 and Bind DNS-Server

cd /tmp
tar xfz caa-patch.tgz
cd caa-patch
php -q install.php

Install this patch on all servers in a multiserver-setup.

What is a CAA-Record?
CAA can be used to determine which certification authority is allowed to issue certificates for the domain. For this purpose, a CAA entry is published in the DNS which is checked by the certification before a certificate is issued. If no CAA record exists, each certificate authority can issue a certificate.

Example 1: CAA
For the domain (and all hostnames) only the certification authority may creates certifcates.

Example 2: CAA CAA
For the domain (and all hostnames without www) only the certification authority may creates certifcates. For only is allowed to create certs.

Example 3 CAA account=4711

How to maintain CAs?
Go to System / Interface / Main Config Tab “DNS CAAs”.

Different settings are possible for each certification authority:
Name: (internal) name of the CA
Issue: URL of the CA
Wildcard: The CA can issue wildcard-certificates

Add CAA-Records to your DNS:
dns-caaAdditional Hostnames: If the CAA-Records should not match the whole domain (Example 2), enter different Hostnames (www, cloud etc.).
Additional Options: Requested by the CA (Example 3). Always use FIELD=VALUE and seperat multiple options with commas.

If you create a website with a cert from Let’s Encrypt, the caa-record will be added automaticly to your dns.

Leave a comment

Your email address will not be published. Required fields are marked *

2 thoughts on “CAA-Records with ISPConfig