Certification Authority Authorization (CAA) is a method for a domain owner to permit one or more certification authorities (CAs) to issue SSL/TLS certificates using their domain name. The permission is provided through a CAA record associated with a DNS entry for the domain name.
Giving certificate issuance to one or more CAs also has the reverse effect as it prevents certificates from being issued by non-permitted CAs. This will increase security to protect your domains as only CAs which have met your selection criteria are permitted to issue.
So what does your CAA record say?
Entrust provides a CAA Lookup Tool to check domain CAA records. By putting in your FQDN (e.g., www.example.com) or your root domain name (e.g., example.com), the CAA checker will provide the following:

  • CAA record – Yes or No
  • Can Entrust issue certificates? – Yes or No
  • Can another CA issue certificates? – No, All or other CA name
  • CAA iodef record - This is a record with an email address or a website where questions can be sent to the controller of the CAA records
  • Full CAA record response – Click on the domain name; this will provide the full CAA record including the CAA issuewild record, if one has been entered

Entrust Datacard has a Certification Authority Authorization (CAA) page to provide information on CAA, including a CAA Best Practices guide to support DNS administrators.

To permit Entrust to issue certificates use: CAA 0 issue "entrust.net".

Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.