{"id":1697,"date":"2020-06-08T01:09:42","date_gmt":"2020-06-07T17:09:42","guid":{"rendered":"https:\/\/www.wesbytes.com\/guide\/?post_type=kb&p=1697"},"modified":"2026-03-26T12:34:46","modified_gmt":"2026-03-26T04:34:46","slug":"universal-ssl-7-essential-tips-caa-cloudflare","status":"publish","type":"kb","link":"https:\/\/www.servergigabit.com\/guide\/kb\/universal-ssl-7-essential-tips-caa-cloudflare","title":{"rendered":"Universal SSL: 7 Essential Tips for Configuring CAA Records in Cloudflare"},"content":{"rendered":"
\n

When using Universal SSL, do not configuring CAA records<\/h2>\n

\"Introducing<\/p>\n<\/div>\n

When you enable Universal SSL and add CAA records via the Cloudflare<\/a>\u00a0DNS<\/strong>\u00a0app, Cloudflare automatically adds three additional CAA DNS records for each of our Universal SSL CA providers (currently comodoca.com, digicert.com, and globalsign.com). \u00a0Cloudflare does not append additional CAA records if Universal SSL is disabled or if no CAA records are added via the\u00a0DNS<\/strong>\u00a0app.<\/p>\n

These CAA DNS records do not display in the Cloudflare dashboard\u00a0DNS<\/strong>\u00a0app. However, if you run \u00a0a command line query using\u00a0dig<\/em>, any existing CAA records will show, including the ones added by Cloudflare Universal SSL.<\/p>\n

If you don\u2019t want or need Cloudflare Universal SSL, you can disable it in your Cloudflare\u00a0Crypto<\/strong>\u00a0settings. Disabling SSL automatically deletes the CAA DNS records for our official providers, mentioned above.<\/p>\n

Disabling Universal SSL leaves your Cloudflare-enabled DNS records without SSL support, unless you upload a custom SSL certificate (available for Cloudflare Business and Enterprise customers).<\/p>\n

\n
\n

When using your own certificate, configuring your CAA records<\/h2>\n<\/div>\n

If you\u2019re using your own origin server SSL certificate (that is, a certificate that was not provisioned by Cloudflare), you need to manually add a CAA DNS record for each Certificate Authority (CA) that you plan to use for your domain.<\/p>\n

Configuring\u00a0 only applies to certificates issued by a CA. You cannot add CAA records if you\u2019re using a self-signed certificate in your origin web server.<\/p>\n

To add a CAA record:<\/p>\n

1. Log in to the Cloudflare dashboard.<\/p>\n

2. Ensure the website you want to update is selected.<\/p>\n

3. Click the\u00a0DNS<\/strong>\u00a0app.<\/p>\n

4. In the\u00a0DNS Records<\/strong>\u00a0panel, click the record type dropdown to select\u00a0CAA<\/em>.<\/p>\n

5. In the\u00a0Name<\/strong>\u00a0text box, type your domain.<\/p>\n

6. Then in the\u00a0Click to configure<\/strong> text box, click to enter configuration details.<\/p>\n

7. In the\u00a0Add Record: CAA content\u00a0<\/strong>dialog, select a\u00a0Tag<\/strong>: either\u00a0Only allow specific hostnames<\/em>\u00a0or\u00a0Only allow wildcards<\/em>, as appropriate. The default tag is\u00a0Only allow specific hostnames<\/em>.<\/p>\n

8. For\u00a0Value<\/strong>, enter the CA name.<\/p>\n

9. Click\u00a0OK<\/strong> to close the dialog.<\/p>\n

10. Back in the\u00a0DNS Records<\/strong>\u00a0panel, verify that the information you entered is correct and then, click\u00a0Add Record<\/strong>\u00a0to save your changes.<\/p>\n

You can repeat the steps above for each CA to associate with your domain. \u00a0Once you have finished creating all the records, you can review them in the list of records appearing under the\u00a0DNS Records<\/strong>\u00a0panel.<\/p>\n

A CA queries the authoritative DNS . \u00a0Therefore, CAA records added to the Cloudflare\u00a0DNS<\/strong>\u00a0app for a domain on a CNAME setup are not used.<\/p>\n

 <\/p>\n

Please refer to the following article to know more.
\nKnowledge Base: Certification Authority Authorization (CAA) FAQ<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

When using Universal SSL, do not configuring CAA records When you enable Universal SSL and add CAA records via the Cloudflare\u00a0DNS\u00a0app, Cloudflare automatically adds three additional CAA DNS records for each of our Universal SSL CA providers (currently comodoca.com, digicert.com, and globalsign.com). \u00a0Cloudflare does not append additional CAA records if Universal SSL is disabled or if no CAA records are…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"kbtopic":[43],"kbtag":[1389],"class_list":["post-1697","kb","type-kb","status-publish","hentry","kbtopic-cloudflare","kbtag-caa-records"],"_links":{"self":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1697","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/comments?post=1697"}],"version-history":[{"count":5,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1697\/revisions"}],"predecessor-version":[{"id":6404,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1697\/revisions\/6404"}],"wp:attachment":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/media?parent=1697"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=1697"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtag?post=1697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}