+49 (0) 7245 919 581 info@eunetic.com
Login
  1. Home
  2. EuropeanSSL Knowledge Base
  3. EuropeanSSL Order transaction
  4. What is a CAA entry and how does it work?
europeanSSL
Knowledge Base

What is a CAA entry and how does it work?

To protect your own website from misuse, it can be useful to include a CAA entry (="Certificate Authority Authorization") in the DNS settings of your own domain. This DNS type determines which certificate authorities are authorized to issue an SSL certificate for a domain.

In March 2017, the CA/Browser Forum issued a guideline that requires all certificate authorities to check a domain's CAA records before issuing and renewing a certificate as of 09/09/2017. If no CAA record has been created for a domain, then any certification authority may issue a corresponding certificate for that domain. However, if a CAA record exists, then the certification authority may only issue a certificate if it has been authorized by such a record.

CAA records are checked from the subdomain level upwards. This means that if a subdomain does not have a CAA entry, then the certification authority checks the next higher domain level until the main domain has been reached. Different CAA entries can apply to a subdomain than to the higher domain level. In this way, different certification authorities can theoretically be authorized. As a rule, however, a CAA record is only created for the main domain.

How is a CAA record structured?

A CAA record may look like the following:

yourdomain.tldIN
CAA
0
issue
"trust-provider.com"
Domain name

DNS type
Flag
Property
Certification authority


The target value of a CAA record consists of a flag, a property, and the certification authority to be approved.

  • Flag
    The flag specifies how a certification authority should consider a CAA entry. A value of 0 to 255 can be entered here. The most important values here are 0, which stands for non-critical, and 128, which means critical. "Non-critical" means that the certification authorities should igonize all entries in the CAA entry if they cannot be evaluated. "Critical", in turn, stands for that the certification authorities should not issue a certificate if the entries in the CAA record cannot be evaluated.
  • Properties
    There are 3 properties that can be used in the CAA entry:
    • issue
      this value specifies which certificate authorities are allowed to issue a certificate for the domain. It must be used for all certificates that are not wildcard certificates.
    • issuewild
      This value specifies which certificate authorities are allowed to issue a wildcard certificate for a domain. If this value is not set, then the default from issue will also apply to wildcard certificates.
    • iodef
      This property allows you to provide contact information for the certification authorities. However, the specification is only optional. Also, many certification authorities do not support this property.

Which CAA record do I have to use to authorize EuropeanSSL for my domain?

To authorize us to create an SSL certificate for your domain, please use the term "trust-provider.com" in your DNS settings. The entry should then read as follows:

domain.tld IN CAA 0 issue "trust-provider.com"
domain.tld IN CAA 0 issuewild "trust-provider.com"
Back to the index...
Was this article helpful?
No Yes
We use cookies for the technical functionality of this website. With your consent, we also collect page views and other statistical data in anonymized form.

Only required
Accept all
Select individually
Cookie Settings
Read Privacy Statement