Share this post

Managing digital certificates can be challenging. On average, companies spend 225 hours manually managing 50 certificates a year[1]. About 74% of enterprises have seen system outages due to unplanned certificate expiration[2], and over 50% have a lost or rogue digital certificate[3].

It’s not uncommon for a company to find they don’t have a full accounting of all the digital certificates used within their business; for large organizations, an audit usually reveals the use of multiple providers. Digital certificates are easily purchased online with a credit card and have a maximum validity of two years, which means keeping up with renewal notices from various providers, and preventing expirations that could cause catastrophic service outages and data breaches becomes an uphill task.

In December 2018, millions of people in the UK woke up to ‘No Service’ alerts when a mobile provider experienced an overnight network outage. This affected a number of networks, and was traced back to an expired certificate. – BBC News[4]

In 2017, a critical digital certificate that had been expired for over two months resulted in the failure of an organization’s monitoring device to detect a data breach where  customer information was stolen, affecting nearly 150M people. Over half a million in fines was imposed on the breached company, and millions more have been set aside for breach payouts. – Forbes[5] and The Wall Street Journal[6]

Companies need a better strategy in managing their digital certificate portfolio. An easy, low cost, low effort mechanism is to employ the use of Certificate Authority Authorization (CAA) Records. However, our sample analysis of 2,000 global companies’ domains reveal only 3% are actively using CAA records.

At a 3% adoption rate, companies may not be capitalizing on this technical control due to:

  1. Lack of awareness
  2. Complexity in implementation between the different domain name system (DNS) and digital certificate providers they use

So, what’s a CAA record?

A CAA record is a resource record held on a zone file that allows the domain owner to indicate which Certificate Authorities (CAs) are authorized to issue a certificate for a given domain name.

CAA record added Digital certificate requested Implications
Yes Request matches record. Certificate issued according to record.
Yes Request does not match record. Certificate not issued, preventing unauthorized certificates from being issued.
No No record exists for matching. Certificate issued according to requests, including unauthorized ones.

Better digital certificate management

By adding CAA records, you are able to control the CAs that your company uses. This exercise supports the consolidation of your providers and reduces the overall cost of management that comes with multiple disparate providers, also greatly reducing the risk of an expiration.

Enforce your company’s policy

A CAA record ensures that only your chosen provider can issue a certificate for your domain names. This is an essential technical control allowing for policy enforcement, as employees will not be able to purchase additional certificates from non-authorized CAs. Importantly, you can create a CAA record which will report any attempted policy violations to a chosen email address.

Ensure the use of high validation digital certificates

In the future*, apart from defining your preferred CA, you’ll be able to stipulate the level of validation acceptable when adding a digital certificate. The higher the level of validation, the more confidence it gives site visitors that they are accessing a legitimate site. With domain validation (DV) certificates increasingly used by cyber criminals to falsely portray legitimacy, CSC recommends using CAA records to stipulate the use of organization validation (OV) and extended validation (EV) certificates where necessary. *date to be confirmed

Mitigate cyber threat

The existence of a CAA record will add a layer of security that prevents cyber criminals from adding encryption or HTTPS with free, low validation digital certificates that do not match your records on a site to fool targets in a domain shadowing attack.

CAA records improve the management of digital certificates at the policy and operation levels, as well as thwart the advances of cyber criminals; they play an important role in developing a multi-layered defense-in-depth approach that every company’s domain security should consider.

Partner with an enterprise-class provider who understands your business priorities, is able to consolidate your digital assets, and has the tools to:

  • Assess and identify your vital domains
  • Help develop your digital certificate policy
  • Implement CAA records within your DNS zone files

In doing so, only authorized certificates are issued, reducing security risks, and ensuring company policy compliance.

Being the trusted partner able to serve as the single point of contact for our clients’ domains, DNS, and digital certificate portfolios, we encourage them to add CAA records to their DNS zones files, even at the time of domain registration.

Request a consultation to learn how we can help you enforce your digital certificate policy.


[1] Aberdeen Group

[2] Ponemon Institute

[3] TechTarget

[4] BBC News: bbc.com/news/business-46464730

[5] Forbes: forbes.com/sites/thomasbrewster/2019/07/22/equifax-just-got-fined-up-to-700-million-for-that-massive-2017-hack/#b5583993e96d

[6] The Wall Street Journal: wsj.com/articles/equifax-security-showed-signs-of-trouble-months-before-hack-1506437947

Mitigate Security Threats Through Digital Certificate Policy Enforcement