Search in this section
A Certification Authority Authorization (CAA) Record specifies the Certificate Authority (CA) that is authorized to issue a certificate for a particular domain. This means that no other CA can issue certificates for your domain.
Structure of a CAA Record
You can create the CAA records in the DNS settings of the domain.
|example.com||CAA||0 issue "digicert.com"|
|example.com||CAA||0 issuewild "digicert.com"|
|example.com||CAA||0 iodef "mailto:email@example.com"|
The entry in the Value column consists of the following subentries:
Flag: A value between 0-255, used to represent the critical flag according to RFC.
Tag: An ASCII string representing the property.
- issue: Authorizes the CA specified under "Value" to issue the certificates.
- issuewild: Allows Wildcard Certificate
- iodef: Mail address to which the CA sends notifications for issuing the certificate. Currently not supported by all CAs.
Value: Value associated with the 'tag'.
Beispiel nach BIND-Syntax:
example.com. 300 IN CAA 0 issue "digicert.com"
example.com. 300 IN CAA 0 issuewild "digicert.com"
example.com. 300 IN CAA 0 iodef "mailto:firstname.lastname@example.org"
Overview of valid Values for the CA
To grant permission to DigiCert and its brands, you may use any of the following entries, each containing all DigiCert products/brands.
Allow several CAs to issue Certificates
If several CAs certificates are to receive the authorization to issue certificates, several CAA records can be entered per domain.
Once a CAA record has been set, no other CA can issue a certificate for this domain. You must either delete the corresponding CAA record or create a new record for the other CA.