Mandatory Certificate Authority Authorisation (CAA) checking from September 2017

Mandatory Certificate Authority Authorisation (CAA) checking from September 2017


From September 8, 2017, Certificate Authority Authorisation (CAA) checking and processing will be mandatory for all Certificate Authorities (CAs).


What is Certificate Authority Authorisation (CAA)?

CAA allows domain owners to control which CAs are allowed to issue certificates for your domain by adding a record to the domain name server (DNS).

The purpose of CAA is to reduce the risk of unauthorised and unknown issuance of SSL/TLS certificates for a domain. By requiring a mandatory check, CAs will know not to issue a certificate for that domain if they are not listed as an authorised CA.


What does this mean for you, the domain owner?

Using CAA is optional for domain owners.

It is up to you if you want to:

  • implement CAA or not
  • authorise multiple CAs to issue certificates
  • separately authorise if you want a CA to be able to issue wildcard and non-wildcard certificates for you

Example CAA code you would need to add to your DNS zone file:

$ORIGIN example.com

.       CAA 0 issue "your-chosen-CA.com"

To find out how to access and edit your DNS zone file, contact your domain registrar.


What are our partner CAs saying about Certificate Authority Authorisation?

  • "This requirement will be supported from August 29, 2017.

    CAA is a simple way to express your preference of CAs. You can add CAA information to DNS, and change it when you wish."



  • "CAA may be the best way to protect domain owners from having fraudulent certificates issued in their domain name.

    This has become increasingly important with the proliferation of unauthorized DV certificates."


  • "GlobalSign will start enforcing CAA on August 28, 2017.

    Be sure you use caution when creating CAA records. If you have other departments obtaining certificates you need to coordinate to be sure that all CAs in use will be added to your CAA records."




  • "All CAs will be mandated to check CAA DNS records starting in late 2017.

    Comodo, however, has been supporting this on ALL certificates for the last 12+ months."






Contact Us

    +1 855 207 2255
   sales@ssl247.com


Links to additional information:

  1. Section'3.2.2.8 - CAA Records' of the CA/Browser Forum's Baseline Requirements Document
  2. DNS Certification Authority Authorization (CAA) Recource Record from the IETF


Read our previous blog post: Chrome extends deadlines while DigiCert plans Symantec Web Security acquisition.


Share this:

Posted on Tuesday 12 September 2017 by Wesley Hall

Return to blog

Send us your comments


Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!