Manage your certificates in DigiCert® CertCentral

All legacy Symantec account portals have moved to CertCentral. Log in below if you’ve already activated your CertCentral account. If not, contact our sales or support teams here. They will send you an email with a unique link to access your account. Login
SECURITY TOPICS

What is Certificate Authority Authorization (CAA)?

The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.

What is CAA?

DNS Certification Authority Authorization (CAA) is designed to allow a DNS domain name holder (a website owner) to specify one or more Certificate
Authorities (CAs) the authority to issue certificates for that domain or website, according to a definition in IETF draft RFC 6844.

With the latest industry standards, a CA will have to check CAA records to make sure that they have the authority to issue the certificates for a particular domain, prior to issuance. For example, if you own thawte.com, and wish to have certificates for that domain issued by DigiCert, you would create a CAA record in DNS with DigiCert as your CA of choice. You may have more than one CAA record if you work with more than one CA.


With CAA, if a malicious actor, or another employee engages a CA to issue a certificate for thawte.com, that CA must first check in DNS. The unlisted CA is allowed to issue the certificate for your domain if no CAA records exist. However, the unlisted CA is not allowed to issue the certificate if CAA records for other CAs exist. This new requirement helps to mitigate the risks of certificate issuance by unauthorized CAs.

Website Security

CAA Records

The creation and modification of the CAA records are controlled by the organization or website owner. The CAA records can help with the enforcement of your corporate policies on approved CAs. By aligning the CAA records with the list of corporate approved CAs, the risk of non-compliance to the policy is minimized. An employee who is not familiar with the policy will not be able to obtain certificates issued by a CA that is not on the corporate list.

If CAA records exist but do not include an approved or preferred CA for a specific domain, the issuance of certificates by that CA to the domain cannot proceed until the creation of the appropriate CAA record is completed.

It is recommended that you create CAA records for your approved CAs to minimize business impact. With CAA, you can minimize the risk of certificate issuance by unauthorized CAs and help create a more secure and transparent online ecosystem.

Top 3 Website Security Myths Revealed

Learn the Facts

With the many falsehoods and myths surrounding website security, how do you sort through what’s true so you can choose the right protection to keep your business, website and customers secure?

READ 3 MYTHS REVEALED
What Is EV SSL?

What Is EV SSL?

DigiCert SSL/TLS Certificates with Extended Validation (EV) provide solutions that allow companies and consumers to engage in communications and commerce online with confidence.

Continue Reading

How SSL Works

How SSL Works

DigiCert SSL Certificates provide solutions that allow companies and consumers to engage in communications and commerce online with confidence.

Continue Reading

USE CASES

DigiCert Website Security Solutions In The Real World

SSL/TLS Fundamentals

What You Need To Know About SSL/TLS Certificates

Intrusion and Threat Protection

SSL/TLS Installation Checker

CHECK SSL INSTALLATION NOW

Intrusion and Threat Protection

SSL/TLS Installation Checker

CHECK SSL INSTALLATION NOW

Encryption

The Emergence of Certificate Transparency

LEARN MORE

Encryption

How SSL/TLS Works

LEARN MORE

Join the Community

Follow us on Twitter

DIGiCERT ON TWITTER

Watch Videos our YouTube Channel

DIGICERT ON YOUTUBE
 >  Security Topics  >  What is Certificate Authority Authorization (CAA)?

Products

Support

Security Topics

Partners

We have updated our Privacy Policy.
Contact Us