Certification Authority Authorization (CAA) Records

Certification Authority Authorization (CAA) records are Domain Name System (DNS) records that allow website owners to specify which Certificate Authorities (CAs) they trust to issue SSL Certificates for their domains. This added layer of security helps prevent unauthorized SSL Certificates from being issued.

By adding a Certification Authority Authorization (CAA) record, website owners exert more control over their digital identity and protect against fraudulent SSL Certificate issuance. These records empower website owners by providing a mechanism to control which Certificate Authorities (CAs) are permitted to issue SSL Certificates for their domains, reducing the risk of fraudulent SSL Certificates being generated and deployed by malicious actors.

Why Use Certification Authority Authorization (CAA) Records

Implementing Certification Authority Authorization (CAA) records significantly enhances the security posture of your website by adding an extra verification step that makes it far more difficult for malicious actors to obtain fraudulent SSL Certificates. This is a critical step in protecting your online presence and maintaining the integrity of your encrypted connections.

Using Certification Authority Authorization (CAA) records provides an additional layer of defense against phishing and man-in-the-middle attacks. This protection is vital for maintaining the trust and confidence of your users, particularly when handling sensitive information through your website.

How Certification Authority Authorization (CAA) Records Work

Certification Authority Authorization (CAA) records work by specifying the Certificate Authorities (CAs) authorized to issue SSL Certificates for a particular domain. These records are stored in your domain's Domain Name System (DNS) records.

When a Certificate Authority (CA) receives a request to issue an SSL Certificate, it first checks the domain's Domain Name System (DNS) records for a Certification Authority Authorization (CAA) record. If a Certification Authority Authorization (CAA) record exists and the Certificate Authority (CA) is not listed, it will refuse to issue the SSL Certificate. This prevents unauthorized issuance and strengthens your online security posture, and the process is automatic and transparent to website users.

Certification Authority Authorization (CAA) Records for Trustico® SSL Certificates

Trustico® SSL Certificates are issued by Sectigo, one of the world's largest and most trusted Certificate Authorities (CAs). To ensure that Sectigo can issue SSL Certificates for your domain, you need to add the following Certification Authority Authorization (CAA) records to your domain's Domain Name System (DNS) settings through your Domain Name System (DNS) provider or domain registrar.

The following examples demonstrate the Certification Authority Authorization (CAA) records required for a domain called yourdomain.com. Replace yourdomain.com with your actual domain name when adding these records to your Domain Name System (DNS) configuration.

Standard SSL Certificate Issuance

This Certification Authority Authorization (CAA) record allows Sectigo to issue standard SSL Certificates for your domain. This is the most common record type and is required for single-site and multi-domain SSL Certificates.

yourdomain.com. IN CAA 0 issue "sectigo.com"

Wildcard SSL Certificate Issuance

This Certification Authority Authorization (CAA) record allows Sectigo to issue Wildcard SSL Certificates for your domain. If you intend to secure unlimited subdomains with a Wildcard SSL Certificate, this record must be present in your Domain Name System (DNS) configuration.

yourdomain.com. IN CAA 0 issuewild "sectigo.com"

S/MIME E-Mail Certificate Issuance

This Certification Authority Authorization (CAA) record allows Sectigo to issue S/MIME E-Mail Certificates for your domain. If you require E-Mail Certificates for signing and encryption within your organization, this record enables that capability.

yourdomain.com. IN CAA 0 issuemail "sectigo.com"

Complete Certification Authority Authorization (CAA) Record Set

For comprehensive coverage that allows Sectigo to issue all SSL Certificate types for your domain, add all three Certification Authority Authorization (CAA) records to your Domain Name System (DNS) settings. The following example shows the complete record set for a domain.

yourdomain.com. IN CAA 0 issue "sectigo.com"
yourdomain.com. IN CAA 0 issuewild "sectigo.com"
yourdomain.com. IN CAA 0 issuemail "sectigo.com"

Adding Certification Authority Authorization (CAA) Records

Adding Certification Authority Authorization (CAA) records to your domain is a straightforward process that varies slightly depending on your Domain Name System (DNS) provider or domain registrar. Most control panels provide a dedicated section for managing Domain Name System (DNS) records where you can add Certification Authority Authorization (CAA) record types directly.

When adding these records, ensure that you select the Certification Authority Authorization (CAA) record type from the available options. Enter the flag value as 0, the tag as either issue, issuewild, or issuemail depending on the record type, and the value as sectigo.com.

Domain Name System (DNS) propagation typically takes 15 to 30 minutes, after which only Sectigo will be able to issue SSL Certificates for your domain. Generate Your Certification Authority Authorization (CAA) Records 🔗

Important Considerations

If no Certification Authority Authorization (CAA) records exist for your domain, any Certificate Authority (CA) can issue SSL Certificates for that domain. Adding Certification Authority Authorization (CAA) records restricts issuance to only the specified Certificate Authorities (CAs), which significantly improves your security posture but requires careful planning.

Before adding Certification Authority Authorization (CAA) records, ensure that you have identified all Certificate Authorities (CAs) that currently issue SSL Certificates for your domain. If you have SSL Certificates from multiple providers, you will need to add Certification Authority Authorization (CAA) records for each Certificate Authority (CA) to avoid issuance failures during renewal.

Trustico® recommends implementing Certification Authority Authorization (CAA) records as part of a comprehensive security strategy. Combined with properly configured SSL Certificates, these records provide robust protection against unauthorized SSL Certificate issuance and help maintain the integrity of your encrypted communications. Discover Our SSL Certificate Validation Procedures 🔗

Verifying Your Certification Authority Authorization (CAA) Records

After adding Certification Authority Authorization (CAA) records to your domain, you should verify that they have propagated correctly throughout the Domain Name System (DNS). Various online tools can query your domain's Certification Authority Authorization (CAA) records and confirm that they are configured correctly. This verification step ensures that your SSL Certificate orders will process without delays.

If you experience issues with SSL Certificate issuance after adding Certification Authority Authorization (CAA) records, verify that the records are correctly formatted and have fully propagated. Contact Trustico® support if you require assistance with Certification Authority Authorization (CAA) record configuration or SSL Certificate issuance. Learn About Trustico® Support Options 🔗