How do I set up a CAA record for my domain?

  General Questions

In this article:

What is CAA record?

Add CAA record on cPanel

Add CAA record on CloudFlare

Add CAA record on Windows Server 2016

Add CAA record on GoDaddy

CAA record and CNAME

What is CAA record?

There are many organizations known as certificate authorities (CAs) that are responsible for issuing identity-confirmation certificates for websites, applications, digital IDs, etc.

If you would like to limit the list of CAs that are able to issue certificates for your website, you can add a CAA record to the DNS settings of your domain name.

A Certification Authority Authorization (CAA) is a DNS record type that allows a domain name owner to specify the preferred CAs for issuing certificates to that domain. When specified, other CAs will not be able to issue certificates for that domain name.

Starting from February 22nd, 2017, all CAs need to check every domain name that is pending certificate issuance for CAA records.

Here are some scenarios in which CAA records can be useful:

  1. You want to reduce the risk of insecure Certificate Authorities.
  2. You want to prevent your employees from obtaining certificates from unauthorized certificate vendors.
  3. You want to prevent fraudulent certificate mis-issuances.

Since SSLs.com provides only certificates signed by Sectigo (formerly COMODO) CA, you should make sure that your domain name does not have certificate issuance restrictions.

Here is an example of a domain name without any CAA records (SSLs.com):

There are no specified CAA records under the ANSWER section. That means that no CAA records were set for this domain name.

Thus, any CA is technically allowed to issue an SSL certificate for SSLs.com if requested.

Here is an example of a domain name with a restricting CAA record (Google.com):

In this case, the domain name owner of “google.com” has specified that only Google Trust Services CA (https://pki.goog) is allowed to issue the certificates for this domain name.

Here is another example of a domain name with a restricting CAA record:

The issue “;” flag means that no CA can issue certificates for this domain name.

If your domain name has any CAA records set, SSL issuance from SSLs.com might be stuck after domain control validation is completed. If you wish to get your SSL from SSLs.com issued, you can proceed by deleting the restricting CAA records or by adding the following to your CAA record:

replace_with_your_domain.com.    CAA    0 issue "sectigo.com"

replace_with_your_domain.com.    CAA    0 issuewild "sectigo.com"

CAA records with the values comodoca.com and trust-provider.com instead of sectigo.com are also accepted for the issuance of Sectigo SSLs.

If you are not sure whether your DNS provider supports CAA records, you can check here.

Additional information about how CAA treats different types of domain pointing can be found here.

Add CAA record on cPanel

If the nameservers for your domain name are managed via cPanel (on your hosting server-side), follow the steps below to add the CAA record for your domain.

  1. Log in to your cPanel.
  2. Scroll down to the Domains section and click on the Zone Editor option.
  3. Click the Manage button next to the needed domain.
  4. Click + Add Record to add a new DNS record. Choose CAA in the drop-down menu next to the Type field.

Fill in the following details:

  • Name: — must be a domain name (with an optional period at the end).
  • TTL: — must be a positive integer in seconds (we suggest setting this parameter to be as minimal possible, for instance, 100 or 1200)
  • Flag: 0
  • Tag: Issue
  • Tag: Issuewild— to allow issuance of wildcard certificates. Make sure to create an “issue” record as well·
  • Value: sectigo.com (or comodoca.com, or trust-provider.com)

Once all the fields are filled in, click the “Add Record” button.

Add CAA record on CloudFlare

If the nameservers for your domain are managed on CloudFlare, follow the steps below to add a CAA record for your domain.

  1. Log in to your CloudFlare account.
  2. Choose the relevant website.
  3. Click on the “DNS” icon at the top of the page.
  4. In the DNS Records panel, click the “Add” record button.
  5. Choose “CAA” from the Type field.
  6. In the “Name” text box, enter the relevant subdomain (or @ for the bare domain name itself).
  7. In the “Flag” section, enter 0.
  8. In the “Tag” section, select “Only allow specific hostnames” (or “Only allow wildcards” to allow issuance of wildcard certificates. Make sure to create an “Only allow specific hostnames” record as well in this case).
  9. Enter the following text in the “CA domain name” text box: sectigo.com (or comodoca.com, or trust-provider.com)
  10. Click the “Save” button to save your CAA record.

Add CAA record on Windows Server 2016

Currently, the DNS server part of Windows Server 2016 does not allow for adding CAA records using the graphic interface. The only way to add a CAA record if your domain name nameservers are managed on a Windows Server is to use PowerShell cmdlets.

  1. Log in to your Windows Server as administrator.
  2. Launch the PowerShell console by clicking on Windows Icon >> Windows PowerShell folder >> Windows PowerShell.
  3. Add the new record by entering the following command:
Add-DnsServerResourceRecord -name neededdomain.com -RecordData 000569737375657365637469676F2E636F6D -Type 257 -ZoneName domain.com

Where:

  • neededdomain.com – needed main domain or its subdomain for the CAA record
  • domain.com – main domain name in question
  • 000569737375657365637469676F2E636F6D – hexadecimal code of Sectigo certificate authority 257 — a number representing CAA type of DNS record

The hexadecimal code of Sectigo can just be copied and pasted into the command you run. If needed, the steps to calculate this code can be checked below. If you wish to allow another certificate authority to issue SSLs for your domain, you can also use this tool to generate the necessary code.

For example, the CAA record for “mywebsite.com” will look like this:

Add-DnsServerResourceRecord -name mywebsite.com -RecordData 000569737375657365637469676F2E636F6D -Type 257 -ZoneName mywebsite.com

Whereas, the CAA record for “test.mywebsite.com” will look like this:

Add-DnsServerResourceRecord -name test.mywebsite.com -RecordData 000569737375657365637469676F2E636F6D -Type 257 -ZoneName mywebsite.com

Here are screenshots of obtaining the Sectigo CA hexadecimal code:

The CAA Record has now been added. It can also be checked in the graphic interface of the DNS manager of your Windows Server as a record with ‘Unknown’ type and code 257 in its properties.

Add CAA record on GoDaddy

If your domain is registered with GoDaddy or uses GoDaddy nameservers, follow the steps below to add a CAA record.

  1. Log in to your GoDaddy Domain Control Center.
  2. Select the domain you wish to add a CAA for to access the Domain “Settings” page.
  3. Under “Additional Settings”, select “Manage DNS”.
  4. Click “Add” under the records table.
  5. Select “CAA” as the Record type.
  6. Enter the following details for your CAA record and click “Save”:
  • Name: The domain or subdomain you are creating the CAA record for (for instance, @ for bare domain example.com or www for www.example.com)
  • Flags: the default flag is 0
  • Tag: this can be “issue”, “Issuewild” or “Iodef”, depending on your specific requirements (for single-domain or multi-domain SSL issuance, the CAA record tag should be “Issue”, while for a wildcard SSL you will need to create two CAA records of an “Issue” and “Issuewild” types)
  • Value: the certificate authority you want to allow SSL issuance from (for Sectigo, the accepted values are sectigo.com, comodoca.com or trust-provider.com
  • TTL: we suggest setting this parameter to be as minimal as possible (the default value is 1 hour).

Note: Please keep in mind that it may take from 24-48 hours for the new CAA record to be available worldwide for the checking and issuing of SSLs.

If you already have a CAA record and you just want to modify it instead of creating a new one, you can select the edit DNS pencil icon next to the CAA record you need to edit on the DNS Management page. After the necessary changes have been made, you can click ‘Save’ for the changes to be applied.

CAA record and CNAME

It should be noted that if your domain name is connected with a CNAME record to another domain name or third-party service, this may influence the CAA check.

For example, if you request a single-domain SSL issuance for example.com (and www.example.com by default), and www.example.com is connected with a CNAME record to another service (CDN, website builder, hosting server, load balancer, etc.), the CAA records for the CNAME record value should be checked as well.

Here is the www subdomain of an example domain which is connected to a third-party service with a CNAME record:

If you try checking the CAA record for the www subdomain, you will see that the CAA records for the third-party service domains are checked as well:

In this case, the SSL issuance from Sectigo will be stuck as there is no necessary CAA record allowing for SSL issuance for Sectigo CA.

There are two ways to proceed in this case:

  • If you have access to the CNAME value domain name, you can simply add the new CAA record there or remove the existing ones. 
  • Alternatively, you can remove the CNAME record temporarily. This way, the CAA records for the CNAME value domain name will not be checked – only your domain name will be. And if there are no restriction CAA records for the domain itself, the SSL validation can be completed. Once the SSL is issued, you can add the CNAME record back to restore the previous setup.

If you’re certain that the CAA record has been created correctly or if you need the Sectigo team to initiate a CAA recheck following any modifications to the CAA records, you can contact their support team directly here.

Additionally, our Support Team is glad to assist you 24/7.