Certificate Authority Authorization (CAA) records control the Certificate Authorities (CA) that may issue SSL certificates to your domain.

You can usually request SSL from any CA if you have no CAA records at all. There may be some cases in which other restrictions apply.

However, if there are any CAA records for a certain CA, then only those CAs can issue SSL for the domain. If you request SSL from a CA not on your CAA list, the certificate will not be issued until you either:

  • Add a new CAA record for the new CA, OR
  • Clear all existing CAA records


How to Lookup CAA Records

You can use an DNS checker website to lookup CAA records set on your domain or sub-domains.

On your preferred DNS tool, simply search CAA type records on your domain(s). If there are records, check the "issue" value for the CA's domain name. 

If there are no results, then the domain does not have any CAA records of its own. 


Create CAA for Sectigo

It's not always required that you set a CAA record to get SSL from a CA. However, you may need to add one if there are other CAA records that can't be removed.

Create a new CAA record in your DNS zone.

  • Host name: your domain or @
  • TTL: lowest possible (30 min)
  • Data value: 0 issue "sectigo.com"

If you then lookup your domain's CAA in a DNS checker, you should get this result:

yourdomain CAA 0 issue "sectigo.com"


Third-party CAA Records

Some third-party service providers enforce CAA records on their own domain. If you are required to point your domain to their's (such as by CNAME record) then your domain may actually inherit that provider's CAA records.

You may need to ask your service provider if they enforce CAA restrictions that might impact your domain.