Search in this section

Skip to end of metadata
Go to start of metadata
Inhaltsverzeichnis dieser Seite

A Certification Authority Authorization (CAA) Record specifies the Certificate Authority (CA) that is authorized to issue a certificate for a particular domain. This means that no other CA can issue certificates for your domain.

Structure of a CAA Record

You can create the CAA records in the DNS settings of the domain.

Examples:

Domain            RR-TypeValue
example.comCAA0 issue "digicert.com"
example.comCAA0 issuewild "digicert.com"
example.comCAA0 iodef "mailto:customer@digicert.com"

The entry in the Value column consists of the following subentries:

Flag: A value between 0-255, used to represent the critical flag according to RFC.
Tag: An ASCII string representing the property.

  • issue: Authorizes the CA specified under "Value" to issue the certificates.
  • issuewild: Allows Wildcard Certificate
  • iodef: Mail address to which the CA sends notifications for issuing the certificate. Currently not supported by all CAs.

Value: Value associated with the 'tag'.

Beispiel nach BIND-Syntax:

example.com. 300 IN CAA 0 issue "digicert.com"
example.com. 300 IN CAA 0 issuewild "digicert.com"
example.com. 300 IN CAA 0 iodef "mailto:customer@example.com"

Overview of valid Values for the CA

To grant permission to DigiCert and its brands, you may use any of the following entries, each containing all DigiCert products/brands.

  • digicert.com

  • www.digicert.com

  • symantec.com

  • thawte.com

  • geotrust.com

  • rapidssl.com

Allow several CAs to issue Certificates

If several CAs certificates are to receive the authorization to issue certificates, several CAA records can be entered per domain.


Once a CAA record has been set, no other CA can issue a certificate for this domain. You must either delete the corresponding CAA record or create a new record for the other CA.