Certification Authority Authorization (CAA) FAQ

Frequently Asked Questions

What is CAA?

A Certificate Authority Authorization (CAA) record, as defined in RFC 6844, allows domain owners to restrict issuance to specified certificate authorities (CAs). CAA records are intended to allow CAs to avoid mis-issuing certificates under certain circumstances.

How does Cloudflare evaluate CAA records?

CAA is an instruction for a CA, not for Cloudflare. Setting a record to specify one CA or another has no bearing on which CA(s) Cloudflare will use to issue a certificate for your domain as part of our Universal SSL or Dedicated SSL features.

Why must you disable Universal SSL if I don’t include CAA records that permit Universal SSL issuance?

If any CAA records are set on a domain, our CA partners will be unable to issue a certificate if these records don’t include their relevant values. While this may be acceptable for your domain, your CAA records may prevent issuance of another customer’s Universal SSL certificate who is sharing the same certificate. As such, we must disable Universal SSL.

Please note that if Cloudflare's Universal SSL is enabled for your domain, then CAA records will be automatically added for you for the Universal SSL CA providers which are: comodoca.com, digicert.com, and globalsign.com.

If you do not wish to have Universal SSL provided by Cloudflare, you can disable it by visiting your Crypto settings. Please note that disabling Universal SSL will leave your Cloudflare enabled DNS records without SSL support unless you have uploaded a custom SSL certificate on our Business plan or above.

What records are added to keep Universal SSL enabled?

The following records are set on your domain if you wish to continue to use Cloudflare’s free Universal SSL certificates:

example.com. IN CAA 0 issue "comodoca.com"
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issue "globalsign.com"
example.com. IN CAA 0 issuewild "comodoca.com"
example.com. IN CAA 0 issuewild "digicert.com"
example.com. IN CAA 0 issuewild "globalsign.com"

Note that you must not use the "Only allow wildcards" option for the root record (which returns only ‘issuewild’ records) for any of the domains in which you wish to continue to use Universal SSL. Having ‘issuewild’ alone only permits wildcard issuance, so we would be unable to add the apex of your domain to the certificate. You should use the "Allow wildcards and specific hostnames" option:


What happens when Universal SSL is disabled?

Your domain name will be immediately removed from your existing certificate and your users will receive an error, unless you upload your own custom certificate. Only Business and Enterprise users may upload custom certificates.

How can I have Universal SSL re-enabled?

File a request ticket with Cloudflare Support.

What are the dangers of setting CAA records?

If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, you must be certain that you include DNS records allowing issuance for all of the CAs that your organization has relationships with. If you do not, you may inadvertently block issuance by other parts of your organization.

I’ve added CAA records but I’m still able to issue with a CA not on the list. Why is that?

CAs have until September 8, 2017, to enforce CAA checking at issuance. While some are already checking for the presence of valid CAA records, others are not (and are not yet required to do so).


Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk