CA Domain Signing Restrictions

TL;DR

No, a Certificate Authority (CA) can’t sign any domain. CAs have strict rules about which domains they can issue certificates for. They verify ownership and control before issuing a certificate to prevent fraud and maintain trust in the internet’s security.

Understanding Certificate Authorities

A CA is a trusted entity that issues digital certificates. These certificates confirm a website’s identity, allowing secure connections (HTTPS). Think of them like digital passports for websites.

Why CAs Can’t Sign Any Domain

1. Trust and Security: Allowing any CA to sign any domain would create chaos. Malicious actors could easily impersonate legitimate websites, leading to phishing attacks and data breaches.
2. Domain Ownership Verification: CAs must verify that the person requesting a certificate actually controls the domain they’re trying to secure. This is done through various methods (see below).
3. CA Policies & Restrictions: Each CA has its own Certificate Signing Request (CSR) policies and restrictions, including allowed TLDs (Top-Level Domains) and validation procedures. Some CAs specialise in certain types of certificates or domains.

How Domain Ownership is Verified

CAs use several methods to verify domain ownership:

• Email Verification: The CA sends an email to the registered administrative contact for the domain, asking them to approve the certificate request.
• DNS Record Modification: The CA asks you to add a specific DNS record (TXT or CNAME) to your domain’s configuration. This proves you have control over the DNS settings.

  dig +short example.com TXT

  will show existing records.

• HTTP File Upload: The CA requires you to upload a file with a unique code to a specific location on your website.

Types of Validation

1. Domain Validated (DV): This is the simplest and fastest type of validation. It only confirms that you control the domain. Suitable for basic websites or testing.
2. Organisation Validated (OV): Requires more extensive verification, including confirming your organisation’s legal existence and contact information.
3. Extended Validation (EV): The highest level of validation, providing the strongest assurance of identity. EV certificates display a green address bar in browsers.

Checking Certificate Details

You can check who issued a certificate and its validity using online tools or your browser:

• Browser: Click the padlock icon in the address bar, then view the certificate details.
• Online Tools: Use websites like SSL Shopper (https://www.sslshopper.com) or DigiCert’s Certificate Transparency Search (https://search.digicert-ctr.com/).

What Happens if a CA Issues an Incorrect Certificate?

If a CA incorrectly issues a certificate (e.g., to someone who doesn’t own the domain), it can be revoked. Browsers maintain lists of revoked certificates, and browsers will warn users about websites using invalid certificates.

Conclusion

CAs play a vital role in maintaining trust on the internet. Their strict policies and verification procedures prevent fraudulent certificate issuance and ensure secure online transactions. They absolutely cannot sign any domain without proper validation.