What Is CAA (Certificate Authority Authorization) Checking?
CAA checking (Certificate Authority Authorization) is a DNS-based security mechanism that allows domain owners to specify which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for their domain.
What Is the Purpose of CAA?
By adding a CAA record to your domain's DNS zone, you can limit certificate issuance to authorized CAs only. This helps prevent the risk of unauthorized or rogue certificates being issued.
For example, to authorize only sectigo.com as a valid CA, you can configure this DNS record:
example.com. CAA 0 issue "sectigo.com"
Why Is It Important?
- Enhances domain security against unauthorized certificate issuance
- Supported by all major CAs and considered best practice
- Recommended for public-facing domains using SSL/TLS
How Does It Work?
When a CA receives a certificate request, it queries the DNS for a CAA record on the domain. If its name is not listed in the record, the CA will deny the certificate issuance.
