Before issuing a certificate the Certificate Authority checks the domains DNS record for the domain for a CAA record.
CAA Record not required
A CAA record is NOT REQUIRED to be able to issue a certificate. If you already have a CAA record on your domain then you must ensure that either DigiCert or Sectigo are able to issue certificates for your domain.
The CA can only issue a certificate if one of the following conditions are met:
- There is no CAA record for the domain
- A CAA record exists on the domain authorizing the CA to issue a certificate.
To allow the issuance of Sectigo and PositiveSSL certificates you must add the following CAA record
CAA 0 issue "sectigo.com"
To allow the issuance of DigiCert, RapidSSL, Geotrust or Thawte certificates you must add any of the following CAA records
CAA 0 issue "digicert.com" CAA 0 issue "geotrust.com" CAA 0 issue "rapidssl.com" CAA 0 issue "thawte.com"
You can check which CAA records exist on a domain by using the Servertastic CAA Validator.
If a CAA record exists and none of the above are listed on the domain then we are unable to issue a certificate for the domain.
Updated 2 months ago