CAA Records

Setting a CAA record on your domain can prevent certificates being issued

Before issuing a certificate the Certificate Authority checks the domains DNS record for the domain for a CAA record.

❗️

CAA Record not required

A CAA record is NOT REQUIRED to be able to issue a certificate. If you already have a CAA record on your domain then you must ensure that either DigiCert or Sectigo are able to issue certificates for your domain.

The CA can only issue a certificate if one of the following conditions are met:

  • There is no CAA record for the domain
  • A CAA record exists on the domain authorizing the CA to issue a certificate.

To allow the issuance of Sectigo and PositiveSSL certificates you must add the following CAA record

CAA 0 issue "sectigo.com"

To allow the issuance of DigiCert, RapidSSL, Geotrust or Thawte certificates you must add any of the following CAA records

CAA 0 issue "digicert.com"
CAA 0 issue "geotrust.com"
CAA 0 issue "rapidssl.com"
CAA 0 issue "thawte.com"

You can check which CAA records exist on a domain by using the Servertastic CAA Validator. If none of the above are listed on the domain then we are unable to issue a certificate for the domain.


Did this page help you?