To protect your own website from misuse, it can be useful to include a CAA entry (="Certificate Authority Authorization") in the DNS settings of your own domain. This DNS type determines which certificate authorities are authorized to issue an SSL certificate for a domain.
In March 2017, the CA/Browser Forum issued a guideline that requires all certificate authorities to check a domain's CAA records before issuing and renewing a certificate as of 09/09/2017. If no CAA record has been created for a domain, then any certification authority may issue a corresponding certificate for that domain. However, if a CAA record exists, then the certification authority may only issue a certificate if it has been authorized by such a record.
CAA records are checked from the subdomain level upwards. This means that if a subdomain does not have a CAA entry, then the certification authority checks the next higher domain level until the main domain has been reached. Different CAA entries can apply to a subdomain than to the higher domain level. In this way, different certification authorities can theoretically be authorized. As a rule, however, a CAA record is only created for the main domain.
A CAA record may look like the following:
yourdomain.tld | IN | CAA | 0 | issue | "trust-provider.com" |
Domain name | DNS type | Flag | Property | Certification authority |
The target value of a CAA record consists of a flag, a property, and the certification authority to be approved.
To authorize us to create an SSL certificate for your domain, please use the term "trust-provider.com" in your DNS settings. The entry should then read as follows:
domain.tld IN CAA 0 issue "trust-provider.com"
domain.tld IN CAA 0 issuewild "trust-provider.com"