What is CAA

CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. It was standardized in 2013 by RFC 6844 to allow a CA “reduce the risk of unintended certificate mis-issue.” By default, every public CA is allowed to issue certificates for any domain name in the public DNS, provided they validate control of that domain name. That means that if there’s a bug in any one of the many public CAs’ validation processes, every domain name is potentially affected. CAA provides a way for domain holders to reduce that risk.

---- Certificate Authority Authorization (CAA)

 

Confirm CAA is enabled on your domain name.

1. Ask certificate provider, access ControlPanel or run DIG command to check your domain name has CAA record

The command to check CAA record is enabled

dig YOUR-DOMAIN-NAME CAA +short

If CAA is enabled, some records will be return.
Goto Step 2.

dig example.com CAA +short

0 issue "letsencrypt.org"
0 issuewild "comodoca.com"
0 issuewild "digicert.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issue "comodoca.com"
0 issue "digicert.com"
0 issue "digicert.com; cansignhttpexchanges=yes"

If CAA is disabled, no records will be return.

dig example.com CAA +short

No CAA records, back to Custom Domains on Shifter to complete steps.

2. Add CAA records to DNS provider

Add one of the following DNS record to your domain name

amazon.com
amazontrust.com
awstrust.com
amazonaws.com

Here are some samples for setting up CAA records DNS providers.

CloudFlare
Add amazon.com for example.com

Add amazon.com for www.example.com

 
GoDaddy

Add amazontrust.com for example.com

Add amazontrust.com for www.example.com

 
Route 53
Add amazonaws.com for example.com

Add amazonaws.com for www.example.com

3. Go to Custom Domains on Shifter to complete Setting up Custom Domain steps.

Did this answer your question?