SSL Certificates and Certification Authority Authorization (CAA) Records
Amanda DavisShare
When you order an SSL Certificate the Certificate Authority (CA) must perform several checks before your SSL Certificate can be issued. One of these mandatory checks involves examining your domain's Certification Authority Authorization (CAA) records to verify that the Certificate Authority (CA) is authorized to issue SSL Certificates for your domain.
Understanding Certification Authority Authorization (CAA) records, why they exist, and how to configure them correctly helps ensure your SSL Certificate orders complete successfully without delays caused by authorization failures.
Understanding Certification Authority Authorization (CAA) Records
Certification Authority Authorization (CAA) records provide domain owners with control over which Certificate Authorities (CAs) can issue SSL Certificates for their domains. These Domain Name System (DNS) records act as a security policy that Certificate Authorities (CAs) must respect when processing SSL Certificate requests. CAA Record Generator Tool 🔗
What Certification Authority Authorization (CAA) Records Are
A Certification Authority Authorization (CAA) record is a specific type of Domain Name System (DNS) record that domain owners can publish in their domain's DNS zone to declare which Certificate Authorities (CAs) are permitted to issue SSL Certificates for that domain. These records serve as a whitelist mechanism that restricts SSL Certificate issuance to only those Certificate Authorities (CAs) explicitly approved by the domain owner.
Before September 2017, Certificate Authorities (CAs) were not required to check for Certification Authority Authorization (CAA) records when issuing SSL Certificates. However, the CA/Browser Forum mandated that all publicly trusted Certificate Authorities (CAs) must check Certification Authority Authorization (CAA) records before issuing any SSL Certificate.
This requirement applies to all validation levels including Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV) SSL Certificates.
How Certification Authority Authorization (CAA) Records Work
When you submit an SSL Certificate order, the Certificate Authority (CA) queries the Domain Name System (DNS) for your domain to check whether any Certification Authority Authorization (CAA) records exist.
If no Certification Authority Authorization (CAA) records are found, the Certificate Authority (CA) is permitted to proceed with issuance as the absence of Certification Authority Authorization (CAA) records indicates that the domain owner has not restricted which Certificate Authorities (CAs) can issue SSL Certificates.
However, if Certification Authority Authorization (CAA) records are present, the Certificate Authority (CA) must verify that it is explicitly listed as an authorized issuer before proceeding.
Certification Authority Authorization (CAA) records are inherited by subdomains unless a specific Certification Authority Authorization (CAA) record exists for that subdomain. This means that a Certification Authority Authorization (CAA) record set on example.com will also apply to www.example.com, shop.example.com, and any other subdomains unless those subdomains have their own Certification Authority Authorization (CAA) records that override the parent domain's policy.
This inheritance model allows domain owners to set a single policy for their entire domain hierarchy while retaining the flexibility to grant different permissions for specific subdomains when needed.
The Structure of a Certification Authority Authorization (CAA) Record
Every Certification Authority Authorization (CAA) record consists of three main components that together define the authorization policy.
The flag value is typically set to 0 for standard Certification Authority Authorization (CAA) records, though a value of 128 indicates that the Certificate Authority (CA) should not issue an SSL Certificate if it does not understand the property tag.
The property tag specifies the type of authorization being granted, with "issue" being the most common tag that authorizes general SSL Certificate issuance.
The value field contains the domain name of the Certificate Authority (CA) being authorized, such as sectigo.com for Sectigo® branded SSL Certificates.
Domain owners can publish multiple Certification Authority Authorization (CAA) records to authorize more than one Certificate Authority (CA). Each Certification Authority Authorization (CAA) record represents a separate authorization, allowing organizations that work with multiple Certificate Authorities (CAs) to maintain flexibility while still benefiting from the security controls that Certification Authority Authorization (CAA) provides.
Additionally, the "issuewild" tag specifically controls Wildcard SSL Certificate issuance, enabling domain owners to apply different policies for Wildcard SSL Certificates compared to standard single-domain SSL Certificates.
Why Certification Authority Authorization (CAA) Records Exist
Certification Authority Authorization (CAA) records were developed as a security mechanism to protect domain owners from unauthorized or mistaken SSL Certificate issuance.
Understanding the security rationale behind Certification Authority Authorization (CAA) helps explain why these records are now mandatory for Certificate Authorities (CAs) to check.
Preventing Unauthorized SSL Certificate Issuance
Throughout the history of the SSL Certificate industry, there have been instances where SSL Certificates were issued inappropriately, either through compromised Certificate Authority (CA) systems, social engineering attacks, or validation process failures.
When an unauthorized party obtains a valid SSL Certificate for a domain they do not control, they can potentially intercept encrypted communications, conduct phishing attacks, or impersonate the legitimate website owner.
Certification Authority Authorization (CAA) records provide an additional layer of protection by ensuring that only Certificate Authorities (CAs) explicitly trusted by the domain owner can issue SSL Certificates.
By publishing Certification Authority Authorization (CAA) records, domain owners essentially create a policy declaration that all compliant Certificate Authorities (CAs) must respect.
Even if an attacker somehow manages to complete the validation process with an unauthorized Certificate Authority (CA), the Certification Authority Authorization (CAA) check will block issuance because the attacker cannot modify the legitimate domain owner's Domain Name System (DNS) records. This protection is particularly valuable for high-profile domains that may be targeted by sophisticated attackers.
Enforcing Organizational Certificate Procurement Policies
Large organizations often have specific policies regarding which Certificate Authorities (CAs) their various departments and teams are permitted to use for SSL Certificate procurement.
Without Certification Authority Authorization (CAA) records, any employee with access to domain validation methods could potentially obtain SSL Certificates from any Certificate Authority (CA), potentially circumventing procurement policies or creating security blind spots where SSL Certificates are issued without proper oversight.
Certification Authority Authorization (CAA) records allow IT security teams to enforce procurement policies at the Domain Name System (DNS) level. By restricting authorized Certificate Authorities (CAs) to only those approved by the organization, Certification Authority Authorization (CAA) ensures that SSL Certificate issuance aligns with corporate security standards regardless of which individual initiates the SSL Certificate request. This centralized control is especially important for organizations managing hundreds or thousands of domains across multiple business units.
Why SSL Certificate Orders May Fail Due to Certification Authority Authorization (CAA) Records
When your SSL Certificate order encounters a Certification Authority Authorization (CAA) related failure, understanding the root cause helps you resolve the issue quickly and complete your order successfully.
Several scenarios can trigger Certification Authority Authorization (CAA) failures during the SSL Certificate issuance process.
Certification Authority Authorization (CAA) Records That Do Not Include the Issuing Certificate Authority (CA)
The most common cause of Certification Authority Authorization (CAA) related SSL Certificate issuance failures occurs when a domain has Certification Authority Authorization (CAA) records published but those records do not include the Certificate Authority (CA) attempting to issue the SSL Certificate.
If you have previously configured Certification Authority Authorization (CAA) records to authorize a different Certificate Authority (CA) and then order an SSL Certificate through Trustico® without updating your Certification Authority Authorization (CAA) records, the issuance will fail because our partner Sectigo® is not listed as an authorized issuer for your domain.
This situation frequently arises when organizations switch SSL Certificate providers or when domain administrators are unaware that Certification Authority Authorization (CAA) records were previously configured.
The solution requires either adding the appropriate Certification Authority Authorization (CAA) record to authorize Sectigo® or removing the restrictive Certification Authority Authorization (CAA) records entirely if you no longer wish to enforce Certificate Authority (CA) restrictions on your domain.
Domain Name System (DNS) Configuration Errors and SERVFAIL Responses
Certificate Authorities (CAs) may also encounter Certification Authority Authorization (CAA) failures when Domain Name System (DNS) queries return error responses rather than a clear answer about Certification Authority Authorization (CAA) record presence.
A SERVFAIL response indicates that the Domain Name System (DNS) server encountered a problem while processing the query, which could result from Domain Name System Security Extensions (DNSSEC) validation failures, authoritative nameserver outages, or misconfigured Domain Name System (DNS) infrastructure.
When a Certificate Authority (CA) receives a SERVFAIL response, it cannot determine whether Certification Authority Authorization (CAA) records exist or what they contain, so it must refuse to issue the SSL Certificate as a security precaution.
Domain Name System Security Extensions (DNSSEC) related SERVFAIL errors are particularly common and can be challenging to diagnose without specialized tools. If your domain uses Domain Name System Security Extensions (DNSSEC) and you experience Certification Authority Authorization (CAA) failures, verify that your Domain Name System Security Extensions (DNSSEC) configuration is correct and that signature records are valid and not expired.
Domain Name System (DNS) debugging tools like DNSViz can help identify specific Domain Name System Security Extensions (DNSSEC) issues that may be causing validation failures.
Timeout and Nameserver Availability Issues
Domain Name System (DNS) queries for Certification Authority Authorization (CAA) records may fail due to network issues, firewall configurations, or nameserver availability problems.
If the Certificate Authority's (CA's) Domain Name System (DNS) resolver cannot reach your authoritative nameservers within the timeout period, the Certification Authority Authorization (CAA) check fails and SSL Certificate issuance is blocked.
Some firewalls or Domain Name System (DNS) servers are configured to drop queries for unfamiliar record types, which can cause Certification Authority Authorization (CAA) queries to time out even when the nameserver is otherwise functioning correctly.
Organizations hosting their own Domain Name System (DNS) infrastructure should verify that their nameservers properly respond to Certification Authority Authorization (CAA) queries.
The expected behavior when no Certification Authority Authorization (CAA) records exist is a NOERROR response with an empty answer section, not a NOTIMP or REFUSED response.
Returning incorrect response codes can cause Certification Authority Authorization (CAA) checks to fail even when no restrictive Certification Authority Authorization (CAA) records are actually present.
Canonical Name (CNAME) Records and Certification Authority Authorization (CAA) Inheritance
When a domain name has a Canonical Name (CNAME) record pointing to another domain, Certification Authority Authorization (CAA) checking follows the Canonical Name (CNAME) chain to the target domain.
This means that the Certification Authority Authorization (CAA) policy of the Canonical Name (CNAME) target domain applies, not any Certification Authority Authorization (CAA) records on the original domain name.
If your domain uses Canonical Name (CNAME) records that point to third-party services, you may need to coordinate with those service providers to ensure appropriate Certification Authority Authorization (CAA) records are in place, or you may need to restructure your Domain Name System (DNS) to avoid Canonical Name (CNAME) conflicts with Certification Authority Authorization (CAA) requirements.
This Canonical Name (CNAME) behavior can cause unexpected SSL Certificate issuance failures when the target domain has restrictive Certification Authority Authorization (CAA) records that do not include your chosen Certificate Authority (CA).
In such cases, you would need to either request that the target domain owner add appropriate Certification Authority Authorization (CAA) records or change your Domain Name System (DNS) configuration to avoid the Canonical Name (CNAME) dependency.
Configuring Certification Authority Authorization (CAA) Records for Trustico® SSL Certificates
Properly configuring Certification Authority Authorization (CAA) records ensures that your SSL Certificate orders through Trustico® complete successfully while maintaining the security benefits that Certification Authority Authorization (CAA) provides.
Required Certification Authority Authorization (CAA) Values for Sectigo® SSL Certificates
SSL Certificates ordered through Trustico® are issued by our partner Sectigo® and require appropriate Certification Authority Authorization (CAA) authorization if your domain has Certification Authority Authorization (CAA) records configured. CAA Record Generator Tool 🔗
Sectigo® official documentation advises that the following domain names are recognized in the "issue" and "issuewild" property tags as authorizing Sectigo® to issue SSL Certificates for your domain : sectigo.com, trust-provider.com, and usertrust.com.
The primary recommended value for all new Certification Authority Authorization (CAA) configurations is sectigo.com.
To authorize Sectigo® to issue standard SSL Certificates for your domain, you would add a Certification Authority Authorization (CAA) record with the "issue" tag and "sectigo.com" as the value.
If you also require Wildcard SSL Certificate issuance, you should add an additional Certification Authority Authorization (CAA) record using the "issuewild" tag with the same sectigo.com value.
For organizations also using Secure/Multipurpose Internet Mail Extensions (S/MIME) e-mail Certificates through Sectigo® the "issuemail" tag authorizes e-mail signing and encryption Certificate issuance.
A complete Certification Authority Authorization (CAA) configuration authorizing Sectigo® for all Certificate types would include three records : CAA 0 issue "sectigo.com" for standard SSL Certificates, CAA 0 issuewild "sectigo.com" for Wildcard SSL Certificates, and CAA 0 issuemail "sectigo.com" for Secure/Multipurpose Internet Mail Extensions (S/MIME) Certificates.
Note that a single Certification Authority Authorization (CAA) record with the "issue" tag applies to all hosts and subdomains under your domain, so you typically do not need separate records for www.yourdomain.com, shop.yourdomain.com, or other subdomains.
Adding Certification Authority Authorization (CAA) Records Through Your Domain Name System (DNS) Provider
The process for adding Certification Authority Authorization (CAA) records varies depending on your Domain Name System (DNS) provider or hosting service.
Most modern Domain Name System (DNS) management interfaces include specific support for Certification Authority Authorization (CAA) record types, allowing you to select the record type from a dropdown menu and enter the flag, tag, and value fields.
Domain Name System (DNS) servers that support Certification Authority Authorization (CAA) records include BIND version 9.9.6 and above, PowerDNS version 4.0.0 and above, NSD version 4.0.1 and above, Knot DNS version 2.2.0 and above, Google Cloud DNS, and DNSimple.
If your Domain Name System (DNS) provider uses an older version, you may be able to add Certification Authority Authorization (CAA) records using the generic RFC 3597 syntax.
When creating your Certification Authority Authorization (CAA) record, set the name field to your domain name, the Time to Live (TTL) to a reasonably low value such as 300 or 3600 seconds, the flag to 0, the tag to "issue" or "issuewild" as appropriate, and the value to sectigo.com enclosed in quotation marks.
The standard BIND zone file format would appear as : yourdomain.com. IN CAA 0 issue "sectigo.com" for the issue tag.
After saving the record, allow time for Domain Name System (DNS) propagation before retrying your SSL Certificate order. Domain Name System (DNS) changes can take anywhere from a few minutes to 48 hours to propagate globally, though most changes are visible within one to four hours.
Choosing Between Certification Authority Authorization (CAA) Records and No Certification Authority Authorization (CAA) Records
Domain owners should consider whether implementing Certification Authority Authorization (CAA) records aligns with their security requirements and operational capabilities.
If you do not publish any Certification Authority Authorization (CAA) records, all Certificate Authorities (CAs) are permitted to issue SSL Certificates for your domain, which provides maximum flexibility but foregoes the security benefits of restricting issuance. This approach is suitable for most small to medium websites where the administrative overhead of maintaining Certification Authority Authorization (CAA) records outweighs the security benefit.
If you choose to implement Certification Authority Authorization (CAA) records, ensure that you include all Certificate Authorities (CAs) that may legitimately need to issue SSL Certificates for your domain.
Forgetting to include a Certificate Authority (CA) in your Certification Authority Authorization (CAA) records will cause SSL Certificate orders to fail until the records are updated.
Organizations using multiple SSL Certificate providers or third-party services that provision their own SSL Certificates should carefully audit all potential issuers before implementing restrictive Certification Authority Authorization (CAA) policies.
Using the Trustico® Tracking System to Monitor Order Status
The Trustico® tracking system provides customers with comprehensive visibility into their SSL Certificate orders, including detailed status information and tools for resolving issues that may prevent successful issuance.
Checking Your SSL Certificate Order Status
After placing an SSL Certificate order through Trustico® you can monitor its progress through our tracking system. The dashboard displays the current status of each order, including whether the order is awaiting validation, processing with the Certificate Authority (CA), or has encountered an issue requiring attention.
Regular status checks help you identify and address any problems quickly, minimizing delays in obtaining your SSL Certificate.
The tracking system consolidates information from the Certificate Authority's (CA's) systems to provide you with accurate, up-to-date status information.
If your order encounters a Certification Authority Authorization (CAA) related failure, the dashboard will indicate this status and provide options for resolving the issue. This centralized visibility eliminates the need to contact support for routine status inquiries and empowers you to take immediate action when problems arise. Learn About SSL Certificate Tracking and Management 🔗
Identifying Certification Authority Authorization (CAA) Errors in the Tracking System
When an SSL Certificate order fails due to a Certification Authority Authorization (CAA) record issue, the Trustico® tracking system clearly indicates that a Certification Authority Authorization (CAA) related problem prevented issuance.
The order status will reflect that the pre-signing checks failed, and you will see a Manage CAA Status button that provides access to tools for resolving the issue. This clear identification helps you understand exactly why your order did not complete and what steps you need to take to resolve the problem.
Requesting a Certification Authority Authorization (CAA) Status Refresh
After you have corrected your Certification Authority Authorization (CAA) records by either adding the appropriate authorization for Sectigo® or removing restrictive Certification Authority Authorization (CAA) records that were blocking issuance, you can request that Trustico® re-check your Certification Authority Authorization (CAA) status through the tracking system.
The Refresh CAA Status button instructs the Certificate Authority (CA) to perform a fresh Certification Authority Authorization (CAA) lookup for your domain, allowing your SSL Certificate order to proceed once the updated records are detected.
The Certification Authority Authorization (CAA) refresh functionality includes a cooldown period to prevent excessive queries and ensure efficient processing.
After requesting a refresh, you will need to wait approximately 15 minutes before you can request another refresh. This interval allows adequate time for Domain Name System (DNS) propagation and for the Certificate Authority (CA) to process the retry request.
Once the Certification Authority Authorization (CAA) check passes successfully, your SSL Certificate order will continue through the standard issuance process.
Best Practices for Certification Authority Authorization (CAA) Record Management
Implementing Certification Authority Authorization (CAA) records effectively requires ongoing attention to ensure that your security policies remain aligned with your operational requirements.
Document Your Certification Authority Authorization (CAA) Configuration
Maintain clear documentation of which Certificate Authorities (CAs) you have authorized in your Certification Authority Authorization (CAA) records and the business reasons for each authorization. This documentation proves invaluable when troubleshooting SSL Certificate issuance failures, onboarding new team members, or reviewing your security posture during audits.
Include information about which domains have Certification Authority Authorization (CAA) records, the specific values configured, and the date of last review or modification.
Documentation should also note any third-party services that require SSL Certificate issuance capabilities for your domains.
Content delivery networks, cloud hosting platforms, and managed security services may provision SSL Certificates automatically, and their Certificate Authority (CA) requirements should be factored into your Certification Authority Authorization (CAA) configuration.
Failing to account for these services can cause unexpected failures in automated SSL Certificate provisioning.
Test Certification Authority Authorization (CAA) Records Before Ordering SSL Certificates
Before placing an SSL Certificate order, verify that your Certification Authority Authorization (CAA) records are correctly configured and will permit issuance from your chosen Certificate Authority (CA).
Online Domain Name System (DNS) lookup tools can query Certification Authority Authorization (CAA) records for any domain, allowing you to confirm that the expected authorizations are in place. Proactive verification helps avoid order delays caused by misconfigured Certification Authority Authorization (CAA) records.
Testing should include verification from multiple geographic locations, as Domain Name System (DNS) propagation may not be uniform globally.
What appears correct from your local network may not yet be visible to the Certificate Authority's (CA's) Domain Name System (DNS) resolvers in other regions. Allow adequate propagation time after making Certification Authority Authorization (CAA) record changes before assuming the configuration is complete.
Consider Using the Incident Object Description Exchange Format (IODEF) Tag for Monitoring
The Incident Object Description Exchange Format (IODEF) tag in Certification Authority Authorization (CAA) records allows you to specify an e-mail address or URL where Certificate Authorities (CAs) can report attempted SSL Certificate issuance requests that were denied due to Certification Authority Authorization (CAA) policy.
This reporting mechanism provides visibility into potential security incidents where unauthorized parties may be attempting to obtain SSL Certificates for your domains.
While not all Certificate Authorities (CAs) support Incident Object Description Exchange Format (IODEF) reporting, implementing this tag provides an additional layer of monitoring for domains where unauthorized SSL Certificate issuance could have significant security implications.
The reports can help identify compromised validation methods, targeted attacks, or simply misconfigured systems within your organization that are attempting to use unauthorized Certificate Authorities (CAs).
It's About Trust
Certification Authority Authorization (CAA) records provide domain owners with important control over SSL Certificate issuance, helping prevent unauthorized SSL Certificates from being issued for their domains.
While Certification Authority Authorization (CAA) records are not required for SSL Certificate issuance, understanding how they work and how to configure them correctly ensures your SSL Certificate orders through Trustico® complete without delays.
If your order encounters a Certification Authority Authorization (CAA) related failure, the Trustico® tracking system provides clear identification of the issue and tools to request a re-check once you have updated your Domain Name System (DNS) configuration.
Proper Certification Authority Authorization (CAA) management balances security benefits with operational requirements, allowing you to maintain control over your domain's SSL Certificate policy while ensuring legitimate orders process smoothly.
