FAQs
CAA Record - Certification Authority Authorization
What is CAA?
Certification Authority Authorization (CAA) is a standard that allows you to control which certificate authorities (CAs) are permitted to issue certificates for your domain. By using CAA, you can minimize your exposure to vulnerabilities in certificate authority validation systems and enforce your organization’s certificate procurement policies.
To implement CAA, you publish a set of CAA records in your domain’s DNS that specify the CAs authorized to issue certificates. Before issuing a certificate, a CA will check your CAA records and deny the request if they are not listed.
What is a CAA Record?
A CAA record is a DNS record that specifies which CAs are allowed to issue certificates for your domain. Its purpose is to give domain owners control over which CAs can issue a certificate for their domain.
Before issuing a certificate, the CA checks the domain’s CAA records and blocks the request if the CA is not listed. If no CAA record is present, any CA is allowed to issue a certificate for the domain.
CAA records can set policies for the entire domain or specific hostnames. They are also inherited by subdomains. Additionally, CAA records can regulate the issuance of single-name certificates, wildcard certificates, or both.
Note: All Certificate Authorities were mandated to check CAA DNS records for SSL certificates starting on September 8, 2017.
As of September 15, 2024, Sectigo has begun enforcing CAA lookups for the issuance of publicly-trusted S/MIME certificates following the “SHOULD” requirement of CA/B Forum.
Sectigo recognizes the following domain names in the “issue” and “issuewild” property tags for SSL certificates and in the “issuemail” property tag for S/MIME certificates as authorizing them to issue certificates:
How to Resolve CAA Check Pre-Sign Failures and Authorize Sectigo to Issue SSL Certificates for Your Domain
To authorize Sectigo to issue SSL certificates for your domain, update the domain’s DNS record to include a CAA record for “sectigo.com.” For more detailed instructions on how to access and edit DNS records, contact your domain registrar.
- Open the CAA DNS zone file.
- Under $ORIGIN yourdomain.com, add the line: CAA 0 issue “sectigo.com”. (See valid CAA resource record values.)
$ORIGIN yourdomain.com
-CAA 0 issue “sectigo.com”
-CAA 0 issuewild “sectigo.com”
-CAA 0 issuemail “sectigo.com”
Note: This single CAA record applies to all hosts and subdomains under your domain (e.g., www.yourdomain.com, shop.yourdomain.com, checkout.yourdomain.com, etc.).
The Following DNS Servers Support CAA Records for SSL Certificates:
- BIND (Prior to version 9.9.6, use RFC 3597 syntax)
- NSD (Prior to version 4.0.1, use RFC 3597 syntax)
- PowerDNS (version 4.0.0 and above)
- Knot DNS (version 2.2.0 and above)
- Google Cloud DNS
- DNSimple
Standard BIND Zone File:
For BIND (version 9.9.6 and above), PowerDNS (version 4.0.0 and above), NSD (version 4.0.1 and above), Knot DNS (version 2.2.0 and above):
Example: sectigo.com. IN CAA 0 issue ‘sectigo.com’
Generic Format:
For Google Cloud DNS and DNSimple:
0 issue ‘sectigo.com’
Additional Reference Information: RFC 6844
Does Sectigo Run CAA Checks for All Public S/MIME Issuance?
Starting on September 15, 2024, before issuing an S/MIME certificate that certifies an email address, the Certification Authority should check for the publication of a Relevant Resource Record Set (RRSet). Starting on March 15, 2025, the Certification Authority must perform this check. Sectigo will follow the “SHOULD” requirement starting on September 15, 2024.
CAA for S/MIME operates on the domain part of each email address (i.e., the suffix of the SAN.rfc822Name value, after the “@”), while for SSL, it operates on the entire FQDN (i.e., the entire SAN.dNSName value).
CAA for S/MIME involves checking the “issuemail” properties of the RRSet, whereas for SSL, it involves checking the “issue” and “issuewild” properties.
Note: Currently, Sectigo does not support any parameters for domains to further restrict the issuance of certificates.
Possible Use Cases and Their Expected Outcomes (Strictly for S/MIME Certificates):
- The Relevant RRSet is empty: Issuance is allowed.
- The Relevant RRSet does not contain any “issuemail” properties: S/MIME issuance is allowed.
- The Relevant RRSet contains multiple “issuemail” properties, where one property matches the issuer domain name of the Certification Authority, and one does not: S/MIME issuance is allowed.
- The Relevant RRSet contains a single “issuemail” property where the issuer domain name is an empty string: S/MIME issuance is prohibited.
- The Relevant RRSet contains a malformed “issuemail” property (does not conform to the ABNF syntax): S/MIME issuance is prohibited.
- The Relevant RRSet contains the critical flag for a CAA property that the Certification Authority does not support: S/MIME issuance is prohibited.
For examples of the “issuemail” property tag, refer to RFC 9495.
Please contact your domain registrar to learn if support for CAA records for S/MIME certificates is available yet.
Please contact Support for more information.
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
