CAA Record Helper

By SSLMate

Over a hundred certificate authorities (CAs) have the power to issue certificates which vouch for the identity of your website. Certificate Authority Authorization (CAA) is a way for you to whitelist the CAs you actually use so you can minimize your risk from security vulnerabilities in all the others.

As of September 8, 2017, all certificate authorities are required to respect your CAA policy, so now is the perfect time to set up CAA. Setting up CAA using this tool is an easy way to improve your website's security. Learn More

1. Enter Your Domain Name

You'll start with an empty policy that prohibits all CAs.
We'll use Certificate Transparency to see which CAs you're currently using.
We'll load your existing CAA record set so you can make adjustments.

2. Select Authorized Certificate Authorities

Check off the certificate authorities which you authorize to issue certificates for your domain. You can separately authorize the issuance of wildcard and non-wildcard certificates.

Type of certificate
Non-WildcardWildcard
AC Camerfirma
ACCVGovernment of Spain
Actalis
Amazon
AssecoUnizeto, Certum
Buypass
CA Disig
CATCertConsorci AOC
CertinomisDocapost
CertizenHongkong Post
certSIGN
CFCAChina Financial
Chunghwa Telecom
Comodo
D-TRUST
DFN-PKI
DigiCertSymantec, GeoTrust, Thawte, RapidSSL
DocuSignKeynectis, OpenTrust, Certplus
e-tugra
Entrust
Firmaprofesional
FNMTGovernment of Spain
GDCA
GlobalSign
GoDaddyStarfield Technologies
Google Trust Services
GRCAGovernment of Taiwan
HARICA
IdenTrust
Izenpe
Kamu SM
Let's Encrypt
Microsec e-Szignó
NetLock
PKIoverheid
QuoVadis
SECOM
Sertifitseerimiskeskuse
SwissSign
T-Systems
Telia
Trust Provider B.V.Networking4all
TrustCor Systems
Trustwave
Web.com
WISeKey

3. Incident Reporting (Optional)

You can specify an email address or URL for reporting certificate requests or issued certificates that violate your CAA policy. Reports will be provided in iodef format.

4. Publish Your CAA Policy

Add the following CAA records to your domain's DNS. Your DNS must be hosted with a service that supports CAA.

Generic

For Google Cloud DNS, Route 53, DNSimple, and other hosted DNS services

Name Type Value

Standard Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0


						

Legacy Zone File (RFC 3597 Syntax)

For BIND <9.9.6, NSD <4.0.1, Windows Server 2016


						

tinydns


						

5. Monitor Your Domain (Optional)

Even if you publish a CAA record, a noncompliant certificate authority can ignore your CAA records. Use Cert Spotter to monitor Certificate Transparency logs so you'll get an email if this happens.