CAA Record Helper

By SSLMate

Over a hundred certificate authorities (CAs) have the power to issue certificates which vouch for the identity of your website. Certificate Authority Authorization (CAA) is a way for you to whitelist the CAs you actually use so you can minimize your risk from security vulnerabilities in all the others.

As of September 8, 2017, all certificate authorities are required to respect your CAA policy, so now is the perfect time to set up CAA. Setting up CAA using this tool is an easy way to improve your website's security. Learn More

1. Enter Your Domain Name

You'll start with an empty policy that prohibits all CAs.
Your policy will allow only the CAs used by SSLMate.
We'll use Certificate Transparency to see which CAs you're currently using.
We'll load your existing CAA record set so you can make adjustments.

2. Select Authorized Certificate Authorities

Check off the certificate authorities which you authorize to issue certificates for your domain. You can separately authorize the issuance of wildcard and non-wildcard certificates.

Type of certificate
Non-Wildcard Wildcard

3. Incident Reporting (Optional)

You can specify an email address or URL for reporting certificate requests or issued certificates that violate your CAA policy. Reports will be provided in iodef format.

4. Publish Your CAA Policy

Add the following CAA records to your domain's DNS. Your DNS must be hosted with a service that supports CAA.

Generic

For Google Cloud DNS, Route 53, DNSimple, and other hosted DNS services

Name Type Value

Standard Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0


						


						

							
Legacy Zone File (RFC 3597 Syntax)

							
For BIND <9.9.6, NSD <4.0.1, Windows Server 2016


							

						


						

							
tinydns

							


							

						


						

							
dnsmasq

							


							

						


					

				


				

					
5. Monitor Your Domain (Optional)


					

						Even if you publish a CAA record, a noncompliant certificate authority
						can ignore your CAA records.  Use Cert Spotter
						to monitor Certificate Transparency logs so you'll get an email if this happens.