Configuring CAA Records

You only need to configure Certificate Authority Authorization (CAA) records whenever you're using your own origin web server SSL certificate instead of Cloudflare Universal SSL.

Do not configure CAA record when using Cloudflare Universal SSL

We will add three CAA records for Universal SSL CA providers automatically when you add your own CAA record in the DNS dashboard.

If you have Universal SSL enabled, you might find CAA records that prevent Universal SSL from issuing removed and replaced with the three Universal SSL CA providers, which are:,, and

Although Cloudflare sets up the CAA records in the background, these do not display in the Cloudflare dashboard DNS app.  However, if you issue a command line query using dig, any existing CAA records will show.

If you don't want or need Universal SSL provided by Cloudflare, you can disable it in your Cloudflare Crypto settings. 

Disabling Universal SSL leaves your Cloudflare-enabled DNS records without SSL support, unless you upload a custom SSL certificate (available for Cloudflare Business plan customers and above).

Configure your CAA records when using your own certificate

If you're using your own origin server SSL certificate (that is, a certificate that was not provisioned by Cloudflare), you need to manually add a CAA DNS record for each Certificate Authority (CA) that you plan to use for your domain. 

Configuring CAA records only applies to certificates issued by a CA. You cannot add CAA records if you're using a self-signed certificate in your origin web server.

To add a CAA record:

1. Log in to the Cloudflare dashboard.

2. Ensure the website you want to update is selected.

3. Click the DNS app.

4. In the DNS Records panel, click the record type dropdown to select CAA.

5. In the Name text box, type your domain.

6. Then in the Click to configure text box, click to enter configuration details. 


7. In the Add Record: CAA content dialog, select a Tag: either Only allow specific hostnames or Only allow wildcards, as appropriate. The default tag is Only allow specific hostnames.

8. For Value, enter the CA name.

9. Click OK to close the dialog.


10. Back in the DNS Records panel, verify that the information you entered is correct and then, click Add Record to save your changes.

You can repeat the steps above for each CA to associate with your domain.  Once you have finished creating all the records, you can review them in the list of records appearing under the DNS Records panel.

Related resources

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk