What is a CERT record? Secure Digital Certificates

The CERT record provides a space in the DNS for certificates and related certificate revocation lists (CRLs). These certificates verify the authenticity of the sending and receiving parties. The CRLs identify the certificates that are no longer valid. To create a CERT record, you must specify the certificate type, the key tag, the algorithm, and then the certificate, which is either the certificate itself, the CRL, a URL of the certificate, or fingerprint and a URL.

The CERT record has the following look in your ClouDNS Control Panel:

Host Type Points to: TTL
www.domain.com CERT 2 77 2 TUlJQ1l6Q0NBY3lnQXdJQkFnSUJBREFOQmdrcWh 1 Hour

Why do you need a CERT record?

CERT record serves as a way to securely store and retrieve certificates for various purposes, such as email signing, encryption, and authentication. This DNS record provides a standardized format for holding certificate-related information, including the certificate type, algorithm, and the certificate itself. Organizations can use CERT records to ensure that their certificates are properly managed and easily accessible. This helps establish trust, enables secure communication, and simplifies the process of validating and verifying certificates within a domain.

How to create a DNS CERT record?

Log in to your ClouDNS account, enter your DNS zone management page, and click on the Add new record button. For Type choose "CERT" and type as follow:

  • Type: CERT
  • TTL: 1 hour
  • Host: www
  • Type: Type of the Certificate/CRL.
  • Key Tag: A numeric value (0-65535), used the efficiently pick a CERT record.
  • Algorithm: Identifies the algorithm, used to produce a legitimate signature.
  • Points to: Base 64 encoded string.

*This hostname is used as an example.

How to check my CERT record?

The CERT record type cannot be looked up easily in Windows because neither Nslookup nor Powershell's Resolve-DnsName has support for it. 

However, you have the option to install WSL (Windows Subsystem for Linux) and then follow the Linux/macOS instructions below, or you can use an online lookup tool like ClouDNS Free DNS tool to check your CERT record.

In case you are a Linux/macOS user, you can open the Terminal and check your CERT record via DIG. Here is an example:

$ dig example.com CERT

As a result, the information about the available CERT records will appear.

How to start managing CERT records for your domain name?

  1. Create a free account from here - free forever
  2. Verify your e-mail address
  3. Log into your control panel
  4. Create a new Master DNS from the [add new] button - check a tutorial, here
  5. Add the CERT records you need, as it is described in this article.

Different certificate types for CERT records

As we already said, the aim of the CERT record is to store various types of certificates, each serving different purposes. In the ClouDNS Dashboard panel, the following certificate types are supported:

  • PKIX and IPKIX: Public Key Infrastructure (X.509) is the most common format for public key certificates. It's widely used in protocols such as TLS/SSL to secure web traffic. 
    Suggested: What is TLS/SS monitoring?
    Infrastructure Public Key Infrastructure (X.509) is similar to PKIX but designed for specific infrastructures that require dedicated certificate management.
  • SPKI and ISPKI: Simple Public Key Infrastructure certificates are simpler and lighter compared to X.509. They are used in IoT and internal services. Infrastructure Simple Public Key Infrastructure is similar to SPKI but tailored for specific infrastructures needing lighter certificate management.
  • PGP and IPGP: Pretty Good Privacy certificates are used for encrypts and signs data, mainly for email and file encryption. Infrastructure Pretty Good Privacy certificates are used for encrypting and signing communications within specific infrastructures.
  • IACPKIX: Attribute Certificate Public Key Infrastructure (X.509) is used for managing attribute certificates in addition to standard PKIX certificates.
  • URI: Uniform Resource Identifier certificates are used to associate public keys with URIs for secure resource access.
  • OID: Object Identifier certificates are used to uniquely identify objects within a certain context

Support of CERT records

ClouDNS provides full support for CERT records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your CERT records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.

FAQ

Question: Are CERT records mandatory for all domains?

Answer: No, they are optional and used for specific purposes like email encryption. Most standard websites or online services do not require CERT records.

Question: Can a domain have multiple CERT records?

Answer: Yes, a domain can have multiple CERT records. Each record will correspond to a different certificate or certificate usage associated with the domain.

Question: Can I delete or modify a CERT record after it has been published?

Answer: Yes, you can delete or modify your CERT record by accessing your domain's DNS management interface and making the necessary changes. Remember that DNS changes may take some time to propagate across the DNS infrastructure, so they may not take immediate effect everywhere.


Last modified: 2024-09-24
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more