Filter to conduct CA Authorization checks for certificates intended for public trust. When selecting this filter, configure the following settings under properties.
check-domains-external-to-cs
true for CA Gateway to make CAA checks for domains in the subjectAltNames field external to the CSR, false otherwise.
Mandatory: No. This optional parameter defaults to true.
check-domains-from-csr
true for CA Gateway to make CAA checks for domains inside the CSR, false otherwise.
Mandatory: No. This optional parameter defaults to true.
dns-server.<i>.<setting>
The DNS settings, where "i" is an index starting at 0. You can omit this index when defining a single DNS.
<setting> | Value | Default |
|---|---|---|
ip | The IP address of the local DNS server that CA Gateway will use to look up the DNS issuer resource record. | – |
port | The port of the DNS server. | 53 |
timeout-first-seconds | The timeout of the first DNS lookup attempt, in seconds. | 3 |
timeout-second-seconds | Timeout of the second DNS lookup attempt, in seconds. Applicable if the first attempt results in an error. | 7 |
timeout-dsquery-seconds | Timeout in seconds of the Delegation Signer (DS) query when querying DNSSEC support. | 7 |
Mandatory: Yes.
issuer-string
The CAA issuer name, as expected in the DNS resource record. Real-world examples include:
- entrust.net
- pki.goog
The name is owned and defined by the issuer and registered in DNS for any CA to check.
Mandatory: Yes
log-server.<i>.<setting>
The settings of each log server CA Gateway must contact to request the signed CT response. Therefore, you must define at least one server, with <i> starting a 0.
<setting> | Value |
|---|---|
name | A friendly name for the log server. For example: "Google Log Server". |
url | The URL of the log server |
True if the SCTs produced by this log server are Google Chrome compatible. | |
public-key | The public key of the log server, as a Base64 DER-encoded public key. Log servers typically advertise their keys publicly. |
tls-trust-anchor | The trust anchor for the CT Filter to perform the TLS handshake with the log server, as a Base64 DER-encoded certificate. |
Mandatory: Yes.