Verified Commit 41c7dd0c authored by Jérôme Charaoui's avatar Jérôme Charaoui 🕯️
Browse files

howto/tls: document caa records

parent 28ed2a13
Loading
Loading
Loading
Loading
+11 −0
Original line number Diff line number Diff line
@@ -297,6 +297,17 @@ time of writing (2020-04-15):

See also the [alternative certificate authorities we could consider](#other-certificate-authorities).

### Certificate Authority Authorization (CAA)

`torproject.org` and `torproject.net` implement CAA records in DNS to restrict
which certificate authorities are allowed to issue certificates for these
domains and under what restrictions.

For Let's Encrypt domains, the CAA record also specifies which account is
allowed to request certificates. This is represented by an "account uri", and
is found among `certbot` and `dehydrated` configuration files. Typically, the
file is named `account_id.json`.

### Internal auto-ca

The internal "auto-ca" is a standalone certificate authority running