How to add a Certificate Authority Authorization (CAA) DNS record
What is a Certificate Authority Authorization (CAA) DNS Record?
A Certificate Authority Authorization (CAA) record is a security
measure that allows the domain name owner to specify which Certificate
Authority (CA) is authorized to issue certificates for that domain.
If
a CA receives an order for a certificate for a domain with a CAA record
and that CA isn’t listed as an authorized issuer, they are prohibited
from issuing the certificate to that domain or any subdomain.
Why use a CAA?
SSL Certificate Authoritys are required to check a Domain Names DNS records for a CAA record before issuing an SSL Certificate.
This
gives the benifit of perventing unauthorized issueance of an SSL
Certificate and will help protect your business and your web site from
fraud.
What if I don’t have a CAA Record?
If
you don’t have a CAA Record in your DNS this is the same a saying that
all CA’s may issue a certificate for you and as such we would recommend
adding a CAA Rule.
How Do I Create A CAA Record?
We have found a site that will do most of the work for you.
If you visit https://sslmate.com/caa/ you will be able to enter the details needed.
If for example you wanted to create a CAA record for ‘reditexample.co.uk’ you would enter the domain name into the box in section 1.
Now if you are looking to create your first CAA record for this domain click on the ‘Auto-Generate Policy’ this will look for any existing SSL Certificates on you domains DNS Records.
If you think you already have a CAA Record and are looking to update the rules you can click on ‘Load Current Policy’
If any SSL Certificates are found they will then be selected in section 2.
From here you can either select to add additional SSL Certificate providers or remove some of the ones that have been selected for you. In the next section ‘Section 3’ you can enter an optional eMail address, which will be used if an SSL Certificate is attempted to be issued for your domain that is not on the allowed list.
Finally you will see that in Section 4 is a copy of the DNS Records that you will need to add to your DNS Zone file. Most providers will be able to work with the ‘Generic’ output
If you are using the redIT Shared Hosting Platform or the redIT DNS Service you can add these records through our Hosting Control Panel and once you are logged in select ‘Domain Names’ from the left hand menu:
Now from the main control panel page select the domain name that you wish to add the CAA record for and click on the ‘Records’ Icon
You should now see a list of all your current DNS Records for the selected Domain Name. To add the new record or records you will need to click on the ‘Add’ button at the top of this page.
Finally for each of the records that the CAA Wizard has shown you you simply enter the details into the new record form. In this example we have added the first result returned from the Wizard as shown above
If you are adding the eMail record you can change the ‘Tag’ type as needed.