CAA-Records with ISPConfig 2


Requirements: ISPConfig >= 3.1 and Bind DNS-Server

Installation:
cd /tmp
wget https://www.schaal-it.com/downloads/caa-patch.tgz
tar xfz caa-patch.tgz
cd caa-patch
php -q install.php

Install this patch on all servers in a multiserver-setup.

What is a CAA-Record?
CAA can be used to determine which certification authority is allowed to issue certificates for the domain. For this purpose, a CAA entry is published in the DNS which is checked by the certification before a certificate is issued. If no CAA record exists, each certificate authority can issue a certificate.

Example 1:
example.com CAA cert.net
For the domain example.com (and all hostnames) only the certification authority cert.net may creates certifcates.

Example 2:
example.com CAA cert.net
www.example.com CAA cert-www.net
For the domain example.com (and all hostnames without www) only the certification authority cert.net may creates certifcates. For www.example.com only cert-www.net is allowed to create certs.

Example 3
example.de CAA cert.net account=4711

How to maintain CAs?
Go to System / Interface / Main Config Tab “DNS CAAs”.
system-config

Different settings are possible for each certification authority:
system-config-caa
Name: (internal) name of the CA
Issue: URL of the CA
Wildcard: The CA can issue wildcard-certificates

Add CAA-Records to your DNS:
dns-caaAdditional Hostnames: If the CAA-Records should not match the whole domain (Example 2), enter different Hostnames (www, cloud etc.).
Additional Options: Requested by the CA (Example 3). Always use FIELD=VALUE and seperat multiple options with commas.

If you create a website with a cert from Let’s Encrypt, the caa-record will be added automaticly to your dns.


Leave a comment

Your email address will not be published. Required fields are marked *

2 thoughts on “CAA-Records with ISPConfig