Skip To Main Content

Certificates

Solutions

Join our Newsletter

Contact Us

How to configure CAA records

.

All certificates that are issued by a CA (Certificate Authority) runs a CAA (Certification Authority Authorisation) check on the domain before issuance.

CAA records can be used as a tool for an organisation to ensure only certain CA(s) are able to issue certificates to their domains.

The rules for CAA records on a domain:

  • No CAA record: All CAs can issue
  • CAA record for specified CA(s): Only specified CA(s) can issue

Two CAA record commands exists:

  • issue: Allows issuance of certificates for specified CA(s)
  • issuewild: Allows issuance of wildcard certificates for specified CA(s)

Example CAA records for trustzone.com:

  • issuewild: globalsign.com
  • issue: sectigo.com
  • issue: globalsign.com

This would allow both GlobalSign and Sectigo to issue regular SSL/TLS certificates for trustzone.com (and any subdomains), while only allowing GlobalSign to issue wildcard certificates.

Note: if there are no “issuewild” records, wildcards are allowed to be issued by CAs with a “issue” record.

Further, we recommend a TTL value of 3600 and if your DNS provider requires it, that the “Flag” value is set to 0.

An example of a CAA record created on a certain domain:

@ IN CAA 0 issue “globalsign.com”

It is perfectly fine to have CAA records for multiple CAs. Do contact us if you have any questions about getting better control over your certificates.

Jon Tittmann

Vetting/Support Team Lead & OpEx

Jon has been an integral part of TRUSTZONE for the past six years, during which he has acquired substantial expertise in the cyber security field. As the team leader for our support team, he possesses a profound understanding of the sector, enabling him to resolve even the most complex challenges within the certificate industry effectively.

Submit Your Technical Queries Here for Expert Assistance!

We will contact you as soon as possible.

Please enter your details below.