The world of Certificate Authorities is strictly regulated. It takes massive technical and financial effort to fulfill all auditing requirements. Even so, getting trusted by browsers and operating systems is the easiest part. Maintaining trust online is the real challenge.

There’s a reason why most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, trust DigiCert when it comes to data encryption. Likewise, Sectigo’s market dominance with over three million customers makes perfect sense. These reliable Certificate Authorities have been at the forefront of the SSL industry. The quality of their services has passed the test of time.

That’s not to say other CAs are less secure or reliable. But, as with everything in life, people’s preferences differ when it comes to CAs. Customer’s loyalty to a brand is driven not only by dependability but by emotional connection and bias as well. 

If you don’t like or trust a particular Certificate Authority for whatever reason, you can block it from issuing SSL certificates on your behalf. Yes, you’ve read it right. You, as the website owner,  have the power to choose what CAs can sign SSL certs for your domain. All you have to do is add something known as a CAA record. In this article, we’ll explain what a CAA record is and how it works. We’ll show you how to create a CAA record, and list a few reasons why you’d want to do it in the first place. Let’s get started!

What is a CAA record?

CAA stands for Certificate Authority Authorization, a DNS (domain name system) security measure which allows domain name holders to specify to CAs whether they’re authorized to issue SSL certificates for a particular domain name. Here’s how a CAA record would look for SSL Dragon in a DNS server:

ssldragon.com . CAA 0 issue “digicert.com”

In this example, only DigiCert is authorized to issue digital certificates for this domain. Other certificate authorities must comply with this command or risk being distrusted. As the domain owner, you can decide how many CAs can issue SSL certs for your site and even specify the type of certificate. Here’s an example of a CAA record for wildcard certificates:

ssldragon.com. CAA 0 issuewild “sectigo.com”

In this instance, only Sectigo can issue wildcard certificates for ssldragon.com. As per CA/Browser Forum Ballot 187, CAs must check CAA records before issuing an SSL certificate. 

Now, that you know what a CA record is, it’s time to dive deep into its workings.

How does a CAA record work?

Let’s take every element of a CAA record and break it down. We’ll use the same hypothetical example for the SSLDragon website, and a real CAA record of Google.com. You can look it up yourself with the DNS checker tool.

ssldragon.com. CAA 0 issue “digicert.com”

The CAA record above includes the following parts:

  • ssldragon.com – the domain you want to secure
  • CAA – the record type
  • 0 – flag
  • issue – tag
  • Digiert.com – the CA authorized to issue digital certificates for this particular domain.

Google CAA

The Google example also contains the TTL attribute. We’re going to dissect the tags, flags, values, and TTL below:

Flags

A flag can be one of two specific states 1 (critical) or 0 (non-critical), with the latter being the default value.

  • The 1 flag tells the CA that it can’t go ahead with issuing the certificate if it doesn’t understand the property and should notify the domain owner via Email about the CAA record check failure.
  • The 0 flag informs the CA that it can use any CAA record info in the DNS zone. If it doesn’t understand this record, it can use another in the DNS zone file.

Tags

A tag determines the action an authorized CA can perform when issuing digital certificates. The three tags that are defined in the proposed standard are issue, issuewild, and iodef. However, CAs can also create their custom tags to ease the certificate issuance process.

  • The issue tag authorizes a particular CA to issue regular, non-wildcard certificates for the specified domain and all its subdomains.
  • The issuewild tag authorizes a particular CA to issue wildcard certificates for the domain in question.
  • The iodef (incident object description exchange format) tag notifies the domain owner via email when a certificate request fails the CAA check. Here’s how the syntax should look for the iodef property: ssldragon.com. CAA 0 iodef “mailto:[email protected].

TTL (time to live) is the period in seconds that a server should cache your CAA record.

Now that you know the elements of a CAA record, let’s create your own. With so many ways available on how to create a CAA certificate record for your domain, we’ll focus on the two most common ones.

How to add a CAA record on your DNS server?

If you use your own DNS server, you can create your CAA record directly in the DNS BIND file.

  1. Use a text editor such as Notepad to open your domain’s DNS file.
  2. Add or update the DNS CAA record info in that file. Use the CAA record example we’ve provided earlier. Include the flags, tags, value, etc.
  3. Save the zone file with your new configuration.

How to add a CAA record in cPanel?

If you want to add a CAA record via your hosting panel, here’s how to do it:

  • Log into your cPanel account
  • From the Domains section click on Zone Editor
  • Next to the domain you want to create a CAA record for click Manage
  • In the Zone Editor page, find the Add Record button and expand it. From the drop-down list, select Add “CAA” Record
  • Now you have to fill in the required fields:
    • The name of the domain or subdomain you want to add a CAA record for
    • The record type (CAA)
    • The flag (0 or 1)
    • The tag (issue, issuewild, iodef)
    • The value (the domain name of the authorized CA)
  • Click Add Record to finish your configuration

By now, you should be an expert on all things CAA records. But does your website need it? Below we’ve listed a few reasons why you may consider setting up a CA record for your domain:

Final thoughts

SSL certificates are now an essential element of every website. And while breaking the HTTPS encryption is beyond human capabilities, cyber-attackers are always searching for clever ways to compromise your name.  Thankfully, CAA records are another excellent security measure to protect your brand identity. CAA records give you full control over the certificate issuance process.