SSL CertificatesTrust solutions
VULNERABILITY SCANNER WITHOUT COMPROMISES
18.00$ Basic Quick-Scan
  • OWASP Top 10 Scanning
  • Multi Page Web Applications
  • REST API & JavaScript Scan
  • Set it up in minutes
NEW FLEX SSL FEATURE AVAILABLE
44.00$ Starting at
  • Protect up to 250 domains
  • Wildcard domains
  • Single and sub-domains
  • Public IP addresses
ROBUST AND MODERN WAY TO IDENTIFY COMPANY
49.00$ Billed annually
  • Registered companies
  • Non Profit, Funds and Trusts
  • Government entities
  • Sole Proprietors/Individuals
Home Wiki Problems & Issues How to setup CAA record

How to setup CAA record

  • CAA (Certification Authority Authorization) is a new type of DNS record designed to identify certification authorities that are allowed to issue SSL / TLS certificates for a specific domain name or subdomain.

    The largest and most popular certificate authorities agreed that starting from September 8, 2017, it is mandatory to strictly follow the instructions specified in the CAA records of the domain name or subdomain for which certificate issuance is requested.

    Using a CAA record will increase the level of security on the Internet and reduce the occurrence of unauthorized obtaining certificates for third-party domain names.

    Here is a detailed instruction that explains the capabilities of the CAA record and the format of its use.

    • *

      Record Format

      The CAA record value consists of three parts, separated by a space:

      CAA <flags> <tag> <value>
    • f

      <flag>

      The flag value is an 8-bit number, the high bit of which indicates the criticality of the record by the certification authority. The following values are currently valid:

      • 0 - If the tag value is not supported or not recognized by the certification authority, then the certification authority is allowed to issue a certificate for the domain name or subdomain at its discretion.
      • 128 - If the tag value is not supported or is not recognized by the certification authority, then the certification authority should not issue a certificate for a domain name or subdomain.
    • t

      <tag>

      The tag value can take one of the following values:

      • issue - Defines the certification authority that is allowed to issue the certificate for the domain name or subdomain used in the name of the entry.
      • issuewild - Defines a certification authority that is allowed to issue a wildcard certificate for the domain name or subdomain record used in the name. The certificate applies to the domain name or subdomain directly and to all its subdomains.
      • iodef - Defines the email address or URL (complying with RFC 5070) that a certification authority should use for notifications if it receives a request for a certificate in violation of the rules for a domain name defined by a CAA record.
    • v

      <value>

      The value depends on the tag value and must be enclosed in double quotation marks (""). Some certificate authorities allow you to use additional parameters for the value. In this case, the parameters must be separated by a semicolon (;).

      Example: 0 issue "sectigo.com; account = 12345"
      • In case tag = issue - Domain name of the certification authority, which is allowed to issue a certificate for the domain name or subdomain specified in the title. To prohibit the issuance of a certificate for all certificate authorities for the domain name or subdomain specified in the name of the record, you must use a semicolon (;) instead of the domain name of the certificate authority.

        Example: example.tld. CAA 0 issue "sectigo.com"
        Example: example.tld. CAA 0 issue ";"
      • In case tag = issuewild - Similar to the case when tag = issue, except that the rule applies to wildcard certificates.

        Example: example.tld. CAA 0 issuewild "sectigo.com"
        Example: example.tld. CAA 0 issuewild ";"
      • In case tag = iodef - Email address ("mailto: abuse@example.com") or URL ("http (s): // URL"), which the certification authority should use in case of receiving an unauthorized request for issuing a certificate for the domain name or subdomain used in the name of the entry.

        Example: example.tld. CAA 0 iodef "mailto: abuse@example.com"
    • *

      Features:

      • The record value for a domain name or subdomain is inherited to all its subdomains unless explicitly specified otherwise.
      • To define two or more certificate authorities for a single domain name or subdomain, you must use several CAA records.
      • The absence of a CAA record will be interpreted by any certificate authority as permission to issue a certificate.
      • The full CAA record specification is available in RFC 6844.
    • *

      How to check?

      Here are the most common methods to check CAA records:

      dig example.tld caa

Fast Issuance within 3-5 minutes

Get a Domain Validation SSL certificate within just 5 minutes using our friendly and automated system. No paperwork, callback or company required.

Price Match 100% Guarantee

Found a better price? We will match it - guaranteed. Get the best possible price in the World with us. The correct place to save your money.

Free SSL 90-day for free

Try 90-day Trial SSL Certificate before the real purchase to test cert's functionality. 99.9% browser and mobile support. Free reissues.

Money Back 30-day guarantee

Customer satisfaction is our major concern. Get a full refund within 30 days for any purchase of SSL certificates with 100% guarantee.

Speed up SSL issuance

GoGetSSL® offers fastest issuance of SSL due to use of LEI code and API automation. Legal Entity Identifier (LEI) is a global identity code, just like DUNS. Learn how LEI works.

1,422,468+Total LEIs issued
224+Jurisdictions supported