Certification Authority Authorization (CAA) FAQ

Frequently Asked Questions

What is CAA?

A Certificate Authority Authorization (CAA) record, as defined in RFC 6844, allows domain owners to restrict issuance to specified certificate authorities (CAs). CAA records are intended to allow CAs to avoid mis-issuing certificates in some circumstances.

How does Cloudflare evaluate CAA records?

CAA is an instruction for a CA, not for Cloudflare. Setting a record to specify one CA or another has no bearing on which CA(s) Cloudflare will use to issue a certificate for your domain as part of our Universal SSL or Dedicated SSL features.

Why must you disable Universal SSL if I don’t include CAA records that permit Universal SSL issuance?

If any CAA records are set on a domain, our CA partners will be unable to issue a certificate if these records don’t include their relevant values. While this may be acceptable for your domain, your CAA records may prevent issuance of another customer’s Universal SSL certificate who is sharing the same certificate. As such, we must disable Universal SSL.

What records are required to keep Universal SSL enabled?

The following records must, at minimum, be set on your domain if you wish to continue to use Cloudflare’s free Universal SSL certificates:

 example.com. IN CAA 0 issue “comodoca.com”

example.com. IN CAA 0 issue “digicert.com”

example.com. IN CAA 0 issue “globalsign.com”

 Note that you must not set ‘issuewild’ for any of the domains in which you wish to continue to use Universal SSL. The reason is that the presence of ‘issuewild’ records override issue records (and ‘issuewild’ only permit wildcard issuance so we would be unable to add the apex of your domain to the certificate).

What happens when Universal SSL is disabled?

Your domain name will be immediately removed from your existing certificate and your users will receive an error unless you upload your own custom certificate. Only Business and Enterprise users may upload custom certificates.

How can I have Universal SSL re-enabled?

You must first update your CAA records to permit Universal SSL issuance. After you have done this, please open a new support ticket.

What are the dangers of setting CAA records?

If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, you must be certain that you include DNS records allowing issuance for all of the CAs that your organization has relationships with. If you do not, you may inadvertently block issuance by other parts of your organization.

I’ve added CAA records but I’m still able to issue with a CA not on the list. Why is that?

CAs have until September 8, 2017, to enforce CAA checking at issuance. While some are already checking for the presence of valid CAA records, others are not (and are not yet required to do so).

When will CAA leave beta and be released to everyone, regardless of record contents?

CAA will be opened up to everyone once it is no longer possible for one customer’s CAA records to adversely affect another customer’s Universal SSL issuance. There is currently no timeline to announce for this planned work.

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk