CAA Records

Setting a CAA record on your domain can prevent certificates being issued

Before issuing a certificate the Certificate Authority checks the domains DNS record for the domain for a CAA record.


CAA Record not required

A CAA record is NOT REQUIRED to be able to issue a certificate. If you already have a CAA record on your domain then you must ensure that either DigiCert or Sectigo are able to issue certificates for your domain.

The CA can only issue a certificate if one of the following conditions are met:

  • There is no CAA record for the domain
  • A CAA record exists on the domain authorizing the CA to issue a certificate.

To allow the issuance of Sectigo and PositiveSSL certificates you must add the following CAA record

CAA 0 issue ""

To allow the issuance of DigiCert, RapidSSL, Geotrust or Thawte certificates you must add any of the following CAA records

CAA 0 issue ""
CAA 0 issue ""
CAA 0 issue ""
CAA 0 issue ""

You can check which CAA records exist on a domain by using the Servertastic CAA Validator.

If a CAA record exists and none of the above are listed on the domain then we are unable to issue a certificate for the domain.