CAA and Certificate Tool

by J. Edward Durrett

Recently an article I authored was published on concerning
Certificate Authority Authorization (CAA) records in DNS. Briefly, CAA records allow a domain administrator to
specify what Certificate Authority (CA) is allowed to issue certificates for a domain. The article goes into more

To make checking a CAA record and certificate for a service easy, I put together a small python script. This script works on every service that speaks tls. Here is the example usage:

./ www 443 

Checking DNS for CAA records . . .

The following records were found: in CAA 128

Now checking certificate . . .

Using server name: on port 443 for SNI ...
Connected to ('', 443)

Certificate Information: '
Country: US
Organization: Let's Encrypt
Common Name: Let's Encrypt Authority X3'

The nice thing is this script works with hosts using SNI and it can check any service on any port. This is a great
help in checking mail servers, voip servers and the like. Also, it is great for servers that are running on
non-standard ports.


The references for my original article on CAA Records and Certificate Issuance are here:

Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.