What is CAA?
CAA is a standard that lets you control what certificate authorities (CAs) are allowed to issue certificates for your domain. You can use CAA to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.
To use CAA, you publish a set of CAA records in your domain's DNS that list the CAs which you authorize to issue certificates. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.
What is a CAA record?
CAA records can set policy for the entire domain, or for specific HostNames.
CAA records are also inherited by sub-domains.
CAA records can regulate the issuance single-name certificates, wildcard certificates, or both.
note: All CA's will be mandated to check CAA DNS records starting in late 2017 (Sep 8 to be precise)
Sectigo recognizes the following domain names in "issue" and "issuewild" property tags as permitting us to issue:
How to resolve CAA Check pre-sign failures and authorize Sectigo to issue certificates for your domain
Update the domain's DNS record to include a CAA record for "sectigo.com".
For more detailed information about how to access and edit DNS records on your domain, contact your domain registrar.
1. Open the CAA DNS zone file.
2. Under $ORIGIN yourdomain.com, add the line, CAA 0 issue “sectigo.com”. (See Valid CAA Resource Record Values.)
. CAA 0 issue "sectigo.com"
. CAA 0 issuewild "sectigo.com
note: This single CAA Record applies to all hosts and subdomains under your domain (www.yourdomain.com, shop.yourdomain.com, checkout.yourdomain.com, etc.).
The following DNS servers support CAA records:
Standard BIND Zone File
For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0
Example: sectigo.com. IN CAA 0 issue 'sectigo.com'
For Google Cloud DNS, DNSimple
0 issue 'sectigo.com'
Additional Reference Information: https://tools.ietf.org/html/rfc6844