CAA for email certificates from September 2024

From September 2024, CAA entries in the DNS will also be checked when issuing email certificates.

We would like to point out the following change regarding CAA entries in the DNS:

Background

DNS Certification Authority Authorization (CAA) uses the Domain Name System (DNS). CAA is intended to enable the owner of a domain to authorize certain Certification Authorities (CAs) to issue a certificate for the domain in question. CAA records in DNS are optional.

For technical details, see IETF RFC 8659 and IETF RFC 9495.

What's new?

SwissSign already checks CAA entries when issuing SSL/TLS certificates. From September 2024 on, CAA entries will also be checked when issuing email or S/MIME certificates in accordance with the new IETF RFC 9495 (technically: the “issuemail property”).

Please note: CAA entries for issuing TLS and email certificates are independent of each other. A CAA entry for TLS does not apply to S/MIME and vice versa.

What do I have to do as a customer?

In most cases, no adjustments will be necessary on your part, unless you have made a CAA entry in the DNS with an issuemail entry. In this case, you may have to supplement this so that it contains the entry «swissssign.com», for example 'mail.client.example CAA 0 issuemail "swisssign.com"'.

We are happy to answer any questions you may have.

 

Best regards

Your SwissSign team