{"id":1698,"date":"2020-06-08T01:11:00","date_gmt":"2020-06-07T17:11:00","guid":{"rendered":"https:\/\/www.wesbytes.com\/guide\/?post_type=kb&p=1698"},"modified":"2026-03-26T12:30:39","modified_gmt":"2026-03-26T04:30:39","slug":"caa-essential-certificate","status":"publish","type":"kb","link":"https:\/\/www.servergigabit.com\/guide\/kb\/caa-essential-certificate","title":{"rendered":"CAA: 5 Critical Facts You Must Know About Certificate Authority Authorization"},"content":{"rendered":"
\n

\"Certification<\/h2>\n

What is Certification Authority Authorization (CAA) ?<\/h2>\n<\/div>\n

A Certificate Authority Authorization (CAA) record allows domain owners to restrict issuance to specified Certificate Authorities (CAs).\u00a0CAA records<\/em>\u00a0prevent CAs from issuing certificates under certain circumstances. \u00a0Refer to RFC 6844 for further details.<\/p>\n

 <\/p>\n

\n

How does Cloudflare evaluate CAA records?<\/h2>\n<\/div>\n

CAA records<\/em>\u00a0are evaluate by a CA, not by Cloudflare<\/a>.<\/p>\n

Setting a\u00a0CAA record<\/em>\u00a0to specify one or more particular CAs has no effect on which CA(s) Cloudflare will use to issue a Universal or Dedicated SSL certificate for your domain.<\/p>\n

 <\/p>\n

\n

Why must I disable Universal SSL if my\u00a0CAA records<\/em>\u00a0exclude Universal SSL issuance?<\/h2>\n<\/div>\n

Since Universal SSL certificates are share between customers, your\u00a0CAA records<\/em>\u00a0may prevent issuance of another customer\u2019s Universal SSL. Therefore, Cloudflare must disable Universal SSL for your domain to ensure your\u00a0CAA records<\/em>\u00a0do not affect another customer.<\/p>\n

CAA records<\/em>\u00a0are automatically add for the Universal SSL CA providers comodoca.com, digicert.com, and letsencrypt.org if Cloudflare\u2019s Universal SSL is enable for your domain.<\/p>\n

If you do not require Universal SSL from Cloudflare,\u00a0Disable Universal SSL<\/strong>\u00a0in the\u00a0Crypto<\/strong>\u00a0app.<\/p>\n

Disabling Universal SSL will leave your Cloudflare enable DNS records without SSL support unless you have uploaded acustom SSL certificate (requires Business or Enterprise plan).<\/p>\n

\n

<\/h2>\n<\/div>\n
\n

What records are added to keep Universal SSL enabled?<\/h2>\n<\/div>\n

The following DNS records are automatically set if you continue to use Cloudflare\u2019s free Universal SSL certificates:<\/p>\n

example.com. IN CAA 0 issue \"comodoca.com\" example.com. IN CAA 0 issue \"digicert.com\" example.com. IN CAA 0 issue \"letsencrypt.org\" example.com. IN CAA 0 issuewild \"comodoca.com\" example.com. IN CAA 0 issuewild \"digicert.com\" example.com. IN CAA 0 issuewild \"letsencrypt.org\"<\/pre>\n
Do not use the\u00a0Only allow wildcards<\/em>\u00a0option for the root record (which returns only\u00a0issuewild<\/em>\u00a0records) for any domain that will use Cloudflare\u2019s Universal SSL.<\/p>\n
Used alone,\u00a0issuewild<\/em>\u00a0only permits wildcard issuance. \u00a0Therefore, Cloudflare cannot add your root domain to the certificate unless you specify the\u00a0Allow wildcards and specific hostnames<\/em>\u00a0option in the\u00a0Tag<\/strong> dropdown:<\/p>\n
 <\/p>\n
 <\/p>\n
\n
What happens when Universal SSL is disable?<\/h2>\n<\/div>\n
Your domain name is immediately remove from the Universal SSL certificate and your users will observe SSL errors unless you upload a custom SSL certificate (requires Business or Enterprise plan).<\/p>\n
 <\/p>\n
\n
How do I re-enable Universal SSL?<\/h2>\n<\/div>\n
File a support ticket with Cloudflare Support.<\/p>\n
 <\/p>\n
\n
What are the dangers of setting CAA records?<\/h2>\n<\/div>\n
If you are part of a large organization or one where multiple parties are task with obtaining SSL certificates, include\u00a0CAA records<\/em>\u00a0that allow issuance for all CAs applicable for your organization. \u00a0Failure to do so can inadvertently block SSL issuance for other parts of your organization.<\/p>\n
 <\/p>\n
Please refer to the following article to know more.
\nKnowledge Base: How to Configuring CAA Records<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
What is Certification Authority Authorization (CAA) ? A Certificate Authority Authorization (CAA) record allows domain owners to restrict issuance to specified Certificate Authorities (CAs).\u00a0CAA records\u00a0prevent CAs from issuing certificates under certain circumstances. \u00a0Refer to RFC 6844 for further details.   How does Cloudflare evaluate CAA records? CAA records\u00a0are evaluate by a CA, not by Cloudflare. Setting a\u00a0CAA record\u00a0to specify one…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"kbtopic":[43],"kbtag":[1388],"class_list":["post-1698","kb","type-kb","status-publish","hentry","kbtopic-cloudflare","kbtag-caa"],"_links":{"self":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/comments?post=1698"}],"version-history":[{"count":5,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1698\/revisions"}],"predecessor-version":[{"id":6403,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1698\/revisions\/6403"}],"wp:attachment":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/media?parent=1698"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=1698"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtag?post=1698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}