{"id":2605,"date":"2019-10-22T17:05:17","date_gmt":"2019-10-22T09:05:17","guid":{"rendered":"https:\/\/www.mondoze.com\/guide\/?post_type=kb&p=2605"},"modified":"2022-10-05T08:02:49","modified_gmt":"2022-10-05T00:02:49","slug":"certification-authority-authorization-caa-faq","status":"publish","type":"kb","link":"https:\/\/www.mondoze.com\/guide\/kb\/certification-authority-authorization-caa-faq","title":{"rendered":"Certification Authority Authorization (CAA) FAQ"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t

Certification Authority Authorization (CAA)<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t

What is CAA?<\/strong><\/h3>

A Certificate Authority Authorization (CAA) record allows domain owners to restrict issuance to specified Certificate Authorities (CAs).\u00a0CAA records<\/em>\u00a0prevent CAs from issuing certificates under certain circumstances. \u00a0Refer to RFC 6844 for further details.<\/p>

How does Cloudflare evaluate CAA records?<\/strong><\/h3>

CAA records<\/em> are evaluate by a CA, not by Cloudflare.<\/p>

Setting a\u00a0CAA record<\/em>\u00a0to specify one or more particular CAs has no effect on which CA(s) Cloudflare will use to issue a Universal or Dedicated SSL certificate for your domain.<\/p>

Why must I disable Universal SSL if my CAA records<\/em>\u00a0exclude Universal SSL issuance?<\/strong><\/h3>

Since Universal SSL certificates are share between customers, your CAA records<\/em>\u00a0may prevent issuance of another customer\u2019s Universal SSL. Therefore, Cloudflare must disable Universal SSL for your domain to ensure your\u00a0CAA records<\/em>\u00a0do not affect another customer.<\/p>

CAA records<\/em> are automatically add for the Universal SSL CA providers comodoca.com, digicert.com, and letsencrypt.org if Cloudflare’s Universal SSL is enable for your domain.<\/p>

If you do not require Universal SSL from Cloudflare,\u00a0Disable Universal SSL<\/strong>\u00a0in the\u00a0Crypto<\/strong>\u00a0app.<\/p>

Disabling Universal SSL will leave your Cloudflare enable DNS records without SSL support unless you have uploaded acustom SSL certificate (requires Business or Enterprise plan).<\/p>

What records are added to keep Universal SSL enabled?<\/strong><\/h3>

The following DNS records are automatically set if you continue to use Cloudflare\u2019s free Universal SSL certificates:<\/p>

example.com. IN CAA 0 issue \"comodoca.com\" example.com. IN CAA 0 issue \"digicert.com\" example.com. IN CAA 0 issue \"letsencrypt.org\" example.com. IN CAA 0 issuewild \"comodoca.com\" example.com. IN CAA 0 issuewild \"digicert.com\" example.com. IN CAA 0 issuewild \"letsencrypt.org\"<\/pre>
Do not use the\u00a0Only allow wildcards<\/em>\u00a0option for the root record (which returns only\u00a0issuewild<\/em>\u00a0records) for any domain that will use Cloudflare’s Universal SSL.<\/p>
Used alone,\u00a0issuewild<\/em>\u00a0only permits wildcard issuance. \u00a0Therefore, Cloudflare cannot add your root domain to the certificate unless you specify the\u00a0Allow wildcards and specific hostnames<\/em>\u00a0option in the\u00a0Tag<\/strong>\u00a0dropdown:<\/p>
\"\"<\/p>
What happens when Universal SSL is disable?<\/strong><\/h3>
Your domain name is immediately remove from the Universal SSL certificate and your users will observe SSL errors unless you upload a custom SSL certificate (requires Business or Enterprise plan).<\/p>
How do I re-enable Universal SSL?<\/strong><\/h3>
File a support ticket with Cloudflare Support.<\/p>
What are the dangers of setting CAA records?<\/strong><\/h3>
If you are part of a large organization or one where multiple parties are task with obtaining SSL certificates, include CAA records<\/em>\u00a0that allow issuance for all CAs applicable for your organization. \u00a0Failure to do so can inadvertently block SSL issuance for other parts of your organization.<\/p>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"
Certification Authority Authorization (CAA) What is CAA? A Certificate Authority Authorization (CAA) record allows domain owners to restrict issuance to specified Certificate Authorities (CAs).\u00a0CAA records\u00a0prevent CAs from issuing certificates under certain circumstances. \u00a0Refer to RFC 6844 for further details. How does Cloudflare evaluate CAA records? CAA records are evaluate by a CA, not by Cloudflare. …<\/p>\n
  Certification Authority Authorization (CAA) FAQ<\/span> Read More \u00bb<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}}},"kbtopic":[53],"kbtag":[110],"mkb_version":[],"_links":{"self":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2605"}],"collection":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/comments?post=2605"}],"version-history":[{"count":11,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2605\/revisions"}],"predecessor-version":[{"id":21945,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2605\/revisions\/21945"}],"wp:attachment":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/media?parent=2605"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=2605"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kbtag?post=2605"},{"taxonomy":"mkb_version","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/mkb_version?post=2605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}