SSL Certificates and CAA Records

CAA stands for Certification Authority Authorization. These records are set with your DNS provider, and they are used by Certificate Authorities (like Let’s Encrypt or RapidSSL) to verify and issue SSL certificates.

Previously, Certificate Authorities could issue SSL/TLS certificates for any domain, as there was no functionality to prevent this. Due to this, any Certificate Authority could issue an SSL for any domain (even google.com), regardless of who owned the domain. To prevent certificates being issued to users for domains they did not own, the CAA record was introduced and Certificate Authorities are now obligated to check for a CAA record when issuing an SSL certificate.

Why do I need a CAA Record?

Having a CAA Record that specifies a specific Certificate Authority makes it so that only that provider can issues certificates for your domain. So if you have a CAA Record that specifies Let’s Encrypt, then only Let’s Encrypt can issue an SSL.  This record will block a provider like RapidSSL from issuing a certificate for the same domain, since only Let’s Encrypt is authorized.

As Certificate Authorities are now required to check for CAA records, your DNS provider must support CAA records in order to issue an SSL certificate. If your DNS provider does support CAA records but one has not been set, any Certificate Authority can issue a certificate, which can lead to multiple SSL providers issuing a certificate for the same domain.

How is this Record checked?

If you wish to use SSL on your domain, you first need to check whether your DNS provider supports CAA records. The CAA record is queried by Certificate Authorities with a dig command  when determining whether an SSL certificate can be issued:

dig -t TYPE257 domain.com

If your DNS provider allows CAA Records you will see as status of “NOERROR” returned. This indicates you can set a CAA record with your DNS provider. If not, you will see a “SERVFAIL” status. If you receive a SERVFAIL status when running this command and want to use an SSL certificate, please contact your DNS provider for more help.

You can see which DNS providers allow CAA Records on SSLMate.  If your DNS provider is not listed here you will need to check with their support Support team to determine whether CAA Records are supported with their service.

How do I tell if I have a CAA Record setup?

Once you have confirmed your DNS provider does support CAA records, you can check to see whether your domain already has a CAA record in place. There are a few different ways to determine whether or not your domain has a custom CAA record.

SSLMATE

One option to determine if you have a CAA record already is to use the tools from SSLMate

In the first section, enter your domain and then click the “Load Current Policy” button. If you get a popup that says “domain.com does not have a CAA Policy” then you do not currently have a CAA Record setup. If you do not get a popup, scroll down to the bottom to view the current policy for your domain.

WHATSMYDNS

Another way to check is with the tools on WhatsMyDNS

Just enter your domain in the box. If it returns all red X’s then you do not have a CAA Record configured:

Otherwise you will get a response similar to the image below, indicating you do have a CAA record configured and specifying the Certificate Authorities who are authorized for your domain:

Setting up a CAA Record

If your DNS provider does support CAA records, but does not have a CAA record configured, you can choose to set your preferred Certificate Authorities with this record now. To setup a CAA Record you can use this tool from SSLMate.

First, enter your domain and click “Empty Policy”

Then, select which Certificate Authorities you want to allow to issue SSL Certificates for your domain:

Once you have selected the Certificate Authorities you want, scroll to the bottom and it provides the CAA Record in multiple formats for multiple different DNS types. If you are not sure which format you need, please reach out to your DNS provider for more help.

NOTE: When ordering an SSL from WP Engine we offer SSL certificates through Let’s Encrypt or RapidSSL, so be sure you select one of these Certificate Authorities when creating your CAA record.  Let’s Encrypt SSL certificates are for one domain (Non-Wildcard), and RapidSSL certificates are specifically for Wildcard domains.

What do I do if my DNS provider does not support CAA Records?

If your DNS provider does not allow the query of a CAA or the creation of a CAA, you will need to move to another DNS host in order to use an SSL certificate on your site. Cloudflare is a recommended option, but you can use the list of DNS providers who support CAA records for guidance as well.


NEXT STEP: Learn how to add an SSL to your website

Enterprise-grade security and performance for all

Global Edge Security provides a managed web application firewall (WAF), advanced DDOS mitigation, CDN, and automatic SSL installation all powered by Cloudflare.