CAA Record Helper

By SSLMate

Over a hundred certificate authorities (CAs) have the power to issue certificates which vouch for the identity of your website. Certificate Authority Authorization (CAA) is a way for you to whitelist the CAs you actually use so you can minimize your risk from security vulnerabilities in all the others.

Beginning September 8, 2017, all certificate authorities will be required to respect your CAA policy, so now is the perfect time to set up CAA. Setting up CAA using this tool is an easy way to improve your website's security. Learn More

1. Enter Your Domain Name

You'll start with an empty policy that prohibits all CAs.
We'll use Certificate Transparency to see which CAs you're currently using.
We'll load your existing CAA record set so you can make adjustments.

2. Select Authorized Certificate Authorities

Check off the certificate authorities which you authorize to issue certificates for your domain. You can separately authorize the issuance of wildcard and non-wildcard certificates.

Type of certificate
Non-WildcardWildcard
AC Camerfirma
ACCVGovernment of Spain
Actalis
Amazon
AssecoUnizeto, Certum
Buypass
CA Disig
CATCertConsorci AOC
CertinomisDocapost
CertizenHongkong Post
certSIGN
CFCAChina Financial
Chunghwa Telecom
Comodo
D-TRUST
DFN-PKI
DigiCert
DocuSignKeynectis, OpenTrust, Certplus
e-tugra
EDICOM
Entrust
Firmaprofesional
FNMTGovernment of Spain
GlobalSign
GoDaddyStarfield Technologies
Google Trust Services
GRCAGovernment of Taiwan
HARICA
IdenTrust
Izenpe
Kamu SM
Let's Encrypt
Microsec e-Szignó
NetLock
PKIoverheid
PROCERT
QuoVadis
SECOM
Sertifitseerimiskeskuse
StartCom
SwissSign
SymantecGeoTrust, Thawte, RapidSSL
T-Systems
Telia
Trust Provider B.V.Networking4all
Trustwave
Web.com
WISeKey
WoSign

3. Incident Reporting (Optional)

You can specify an email address or URL for reporting certificate requests or issued certificates that violate your CAA policy. Reports will be provided in iodef format.

4. Publish Your CAA Policy

Add the following CAA records to your domain's DNS. Your DNS must be hosted with a service that supports CAA.

Generic

For Google Cloud DNS, Route 53, DNSimple, and other hosted DNS services

Name Type Value

Standard Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0


						

Legacy Zone File (RFC 3597 Syntax)

For BIND <9.9.6, NSD <4.0.1, Windows Server 2016


						

tinydns


						

5. Monitor Your Domain (Optional)

Even if you publish a CAA record, a noncompliant certificate authority can ignore your CAA records. Use Cert Spotter to monitor Certificate Transparency logs so you'll get an email if this happens.