SSL Certificates and CAA Records
CAA stands for Certification Authority Authorization. These records are set with your DNS provider, and they are used by Certificate Authorities (like Let’s Encrypt, DigiCert, or Google Trust Services) to verify and issue SSL certificates.
Why do I need a CAA Record?
CAA records are added at the DNS level to restrict which certificate authorities can issue SSL for the domain. For example, if there is a CAA record added for Let’s Encrypt, then only Let’s Encrypt will be authorized to issue SSL for the domain.
If your DNS provider supports CAA records but one has not been set, any Certificate Authority can issue a certificate. Additionally, WP Engine does not require CAA records to issue SSL certificates.
If you have CAA records applied that do not allow the certificate authorities WP Engine uses, then you will receive an error and be unable to add the SSL. This error typically looks like:
CAA record for domain.com prevents issuance. In this case, CAA records should be removed or updated to the CAA values listed below.
How is this record checked?
If you wish to use SSL on your domain, you first need to check whether your DNS provider supports CAA records. The CAA record is queried by Certificate Authorities with a dig command when determining whether an SSL certificate can be issued:
dig -t TYPE257 domain.com
If your DNS provider allows CAA Records you will see as status of “NOERROR” returned. This indicates you can set a CAA record with your DNS provider. If not, you will see a “SERVFAIL” status. If you receive a SERVFAIL status when running this command and want to use an SSL certificate, please contact your DNS provider for more help.
You can see which DNS providers allow CAA Records on SSLMate.
How do I tell if I have a CAA record set up?
Once you have confirmed your DNS provider does support CAA records, you can check to see whether your domain already has a CAA record in place. There are a few different ways to determine whether or not your domain has a custom CAA record.
One option to determine if you have a CAA record already is to use the tools from SSLMate.
In the first section, enter your domain and then click the “Load Current Policy” button. If you get a popup that says “domain.com does not have a CAA Policy” then you do not currently have a CAA Record set up. If you do not get a popup, scroll down to the bottom to view the current policy for your domain.
Another way to check is with the tools on WhatsMyDNS.
Just enter your domain in the box. If it returns all red X’s then you do not have a CAA Record configured:
Otherwise you will get a response similar to the image below, indicating you do have a CAA record configured and specifying the Certificate Authorities who are authorized for your domain:
WP Engine CAA Records
If your DNS provider supports CAA records, you can choose to set your preferred Certificate Authorities using CAA records. WP Engine does not require CAA records, however if you chose to configure CAA, be sure to include all of the records listed below. These multiple CAA records should be added in the event that the network SSL is updated by WP Engine, an SSL can be reissued without issue.
0 issue “letsencrypt.org” 0 issue “digicert.com; cansignhttpexchanges=yes" 0 issue "pki.goog; cansignhttpexchanges=yes" 0 issue “sectigo.com” 0 issuewild “letsencrypt.org” 0 issuewild “digicert.com; cansignhttpexchanges=yes" 0 issuewild "pki.goog; cansignhttpexchanges=yes" 0 issuewild “sectigo.com”
NEXT STEP: Learn how to add an SSL to your website