forked from SSLMate/caa_helper
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.xml
188 lines (160 loc) · 6.35 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
<caa:page xmlns="http://www.w3.org/1999/xhtml" xmlns:caa="http://xmlns.sslmate.com/caa" xmlns:xi="http://www.w3.org/2003/XInclude" id="index">
<!--
Copyright (C) 2016-2022 Opsmate, Inc.
This Source Code Form is subject to the terms of the Mozilla
Public License, v. 2.0. If a copy of the MPL was not distributed
with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
This software is distributed WITHOUT A WARRANTY OF ANY KIND.
See the Mozilla Public License for details.
-->
<caa:title>CAA Record Generator</caa:title>
<caa:head>
<script type="text/javascript" src="generator.js"></script>
<script type="text/javascript">
document.addEventListener('DOMContentLoaded', function() {
init_caa_generator(document.body.dataset.sslmateDomain,
document.getElementById('generator_form'),
document.getElementById('ca_table'),
document.getElementById('caa_output_zonefile'),
document.getElementById('caa_output_rfc3597'),
document.getElementById('caa_output_tinydns'),
document.getElementById('caa_output_dnsmasq'),
document.getElementById('caa_output_generic'),
document.getElementById('certspotter_link'));
});
</script>
</caa:head>
<caa:body>
<div class="generator">
<form id="generator_form">
<div class="overview">
<p>
Over a hundred certificate authorities (CAs) have the power to issue
certificates which vouch for the identity of your website. Certificate
Authority Authorization (CAA) is a way for you to restrict issuance to the CAs you
actually use so you can reduce your risk from security vulnerabilities
in all the others. Setting up CAA is an easy way to improve
your website's security. <a href="about">Learn More</a>
</p>
</div>
<div class="section">
<h2>1. Enter Your Domain Name</h2>
<p>
<label for="domain_input">Domain name: </label><input id="domain_input" type="text" name="domain" size="30"/>
</p>
</div>
<div class="section">
<h2>2. Choose an Initial Policy</h2>
<table class="policy_selection">
<tr>
<td><button type="button" name="empty_policy">Empty Policy</button></td>
<td>You'll start with an empty policy that prohibits all CAs.</td>
</tr>
<tr>
<td><button type="button" name="use_sslmate_policy">SSLMate Policy</button></td>
<td>Your policy will allow only the CAs used by <a href="https://sslmate.com">SSLMate</a>.</td>
</tr>
<tr>
<td><button type="button" name="autogenerate_policy">Auto-Generate Policy</button></td>
<td>We'll use <a href="https://www.certificate-transparency.org/">Certificate Transparency</a> to see which CAs you're currently using.</td>
</tr>
<tr>
<td><button type="button" name="load_policy">Load Current Policy</button></td>
<td>We'll load your existing CAA record set so you can make adjustments.</td>
</tr>
</table>
</div>
<div class="section">
<h2>3. Select Authorized Certificate Authorities</h2>
<p class="instructions">
Check off the certificate authorities which you authorize to issue certificates
for your domain. You can separately authorize the issuance of wildcard and non-wildcard certificates.
</p>
<div class="ca_selector">
<p>
<label for="ca_filter_input">Filter by CA name: </label>
<input id="ca_filter_input" type="text" name="ca_filter" value="" size="40"/>
<button type="button" name="clear_ca_filter" class="link">Clear Filter</button>
</p>
<table id="ca_table">
<thead>
<tr>
<td class="name_col"></td>
<td class="type_col" colspan="2">Type of certificate</td>
</tr>
<tr>
<td class="name_col"></td>
<th class="nonwild_col">Non-Wildcard</th>
<th class="wild_col">Wildcard</th>
</tr>
</thead>
<tbody>
</tbody>
</table>
</div>
</div>
<div class="section">
<h2>4. Incident Reporting (Optional)</h2>
<p class="instructions">
You can specify an email address or URL for reporting certificate
requests or issued certificates that violate your CAA policy.
Reports will be provided in <a href="https://tools.ietf.org/html/rfc5070">iodef</a> format.
</p>
<p>
<label for="iodef_input">Email address or URL: </label><input id="iodef_input" type="text" name="iodef" size="40"/>
</p>
</div>
<div class="section">
<h2>5. Publish Your CAA Policy</h2>
<p class="instructions">
Add the following CAA records to your
domain's DNS. Your DNS must be hosted with a
<a href="support">service that supports CAA</a>.
</p>
<div class="output">
<div>
<h3>Generic</h3>
<p class="software">For Google Cloud DNS, Route 53, DNSimple, and other hosted DNS services</p>
<table>
<thead>
<th>Name</th>
<th>Type</th>
<th>Value</th>
</thead>
<tbody id="caa_output_generic"></tbody>
</table>
</div>
<div>
<h3>Standard Zone File</h3>
<p class="software">For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0</p>
<pre id="caa_output_zonefile"></pre>
</div>
<div>
<h3>Legacy Zone File (<a href="https://tools.ietf.org/html/rfc3597">RFC 3597</a> Syntax)</h3>
<p class="software">For BIND <9.9.6, NSD <4.0.1, Windows Server 2016</p>
<pre id="caa_output_rfc3597"></pre>
</div>
<div>
<h3>tinydns</h3>
<p class="software"></p>
<pre id="caa_output_tinydns"></pre>
</div>
<div>
<h3>dnsmasq</h3>
<p class="software"></p>
<pre id="caa_output_dnsmasq"></pre>
</div>
</div>
</div>
<div class="section">
<h2>5. Monitor Your Domain (Optional)</h2>
<p class="instructions">
Even if you publish a CAA record, a noncompliant certificate authority
can ignore your CAA records. Use <a href="https://sslmate.com/certspotter" id="certspotter_link">Cert Spotter</a>
to monitor Certificate Transparency logs so you'll be notified if this happens.
</p>
</div>
</form>
</div>
</caa:body>
</caa:page>