WP Engine Products

WordPress Hosting

Boost performance while managing less

WooCommerce Hosting

Build faster and sell more with WooCommerce

Agency and Client Management

Automate client billing, reporting, & more

Headless WordPress

Build, deploy, and manage headless sites

View More Products

Solutions

Small Businesses

Enterprises

Agencies

eCommerce

View More Solutions

Website Tools

Smart Plugin Manager

Website Tester

Website Monitoring

WordPress Themes and Tools

Local WordPress Development

Featured Plugins

Advanced Custom Fields

Build rich, custom content editing experiences

WP Migrate

Migrate WordPress sites with confidence

WP Offload Media

Offload media assets & serve them lightning fast

WP Offload SES

Improve email send reliability with Amazon SES

View More Recommended Plugins

WordPress Resources

WP Engine Resources

Articles and videos for help with WordPress

WP Engine Help Docs

Guides for site setup & troubleshooting

Free Website Migration

Automated migration plugin & support

Find a WordPress Agency

Need help? Search our agency directory

Stay Connected

WP Engine Blog

Builder Community

Headless Developer Community

Torque Magazine

Velocitize Magazine

Thought Leadership

Velocitize Talks

Erik Posthuma of Aleph-labs on Web3, Cryptocurrency, & More

Podcast

Press This, the WordPress Community Podcast

Study

The World’s First Study of the WordPress Economy

Why WP Engine?

Our Platform Technology

Managed WordPress Hosting

Fast WordPress

Secure WordPress

24/7 WordPress Support

About Us

WP Engine Reviews

How You Win with WP Engine

Build faster, protect your brand, and grow your business with the #1 WordPress platform to power remarkable online experiences.

Learn More

Customer Spotlight

Peak Performance With Headless WordPress

Android Authority increases speed 6x by adopting a headless architecture with a WordPress back-end.

All Case Studies

Contact sales

Call Us

1-877-973-6446 to talk to a sales expert

Request a Quote

Submit a request for a personalized plan recommendation

Let’s Chat

Customer Support

Support Articles

Billing Help

Password Help

Log In for Support
Easiest Migration Ever!

Need Help Choosing a Plan?

We offer solutions for businesses of all sizes. For questions about our plans and products, contact our team of experts. Get in touch

Support Center
Setup A Site
Account & Features
Platform Information
WordPress Help
Troubleshoot
Browse All

SSL Certificates and CAA Records

Last updated on September 16th, 2021

SSLSSL Certificates

CAA stands for Certification Authority Authorization. These records are set with your DNS provider, and they are used by Certificate Authorities (like Let’s Encrypt or RapidSSL) to verify and issue SSL certificates.

Previously, Certificate Authorities could issue SSL/TLS certificates for any domain, as there was no functionality to prevent this. Due to this, any Certificate Authority could issue an SSL for any domain (even google.com), regardless of who owned the domain. To prevent certificates being issued to users for domains they did not own, the CAA record was introduced and Certificate Authorities are now obligated to check for a CAA record when issuing an SSL certificate.

Table of Contents
1. Why do I need a CAA Record?
2. How is this Record checked?
3. How do I tell if I have a CAA Record setup?
4. Setting up a CAA Record
5. What do I do if my DNS provider does not support CAA Records?

Why do I need a CAA Record?

Having a CAA Record that specifies a specific Certificate Authority makes it so that only that provider can issues certificates for your domain. So if you have a CAA Record that specifies Let’s Encrypt, then only Let’s Encrypt can issue an SSL.  This record will block a provider like RapidSSL from issuing a certificate for the same domain, since only Let’s Encrypt is authorized.

As Certificate Authorities are now required to check for CAA records, your DNS provider must support CAA records in order to issue an SSL certificate. If your DNS provider does support CAA records but one has not been set, any Certificate Authority can issue a certificate, which can lead to multiple SSL providers issuing a certificate for the same domain.

How is this Record checked?

If you wish to use SSL on your domain, you first need to check whether your DNS provider supports CAA records. The CAA record is queried by Certificate Authorities with a dig command  when determining whether an SSL certificate can be issued:

dig -t TYPE257 domain.com

If your DNS provider allows CAA Records you will see as status of “NOERROR” returned. This indicates you can set a CAA record with your DNS provider. If not, you will see a “SERVFAIL” status. If you receive a SERVFAIL status when running this command and want to use an SSL certificate, please contact your DNS provider for more help.

You can see which DNS providers allow CAA Records on SSLMate.  If your DNS provider is not listed here you will need to check with their support Support team to determine whether CAA Records are supported with their service.

How do I tell if I have a CAA Record setup?

Once you have confirmed your DNS provider does support CAA records, you can check to see whether your domain already has a CAA record in place. There are a few different ways to determine whether or not your domain has a custom CAA record.

SSLMATE

One option to determine if you have a CAA record already is to use the tools from SSLMate

In the first section, enter your domain and then click the “Load Current Policy” button. If you get a popup that says “domain.com does not have a CAA Policy” then you do not currently have a CAA Record setup. If you do not get a popup, scroll down to the bottom to view the current policy for your domain.

WHATSMYDNS

Another way to check is with the tools on WhatsMyDNS

Just enter your domain in the box. If it returns all red X’s then you do not have a CAA Record configured:

Otherwise you will get a response similar to the image below, indicating you do have a CAA record configured and specifying the Certificate Authorities who are authorized for your domain:

Setting up a CAA Record

If your DNS provider does support CAA records, but does not have a CAA record configured, you can choose to set your preferred Certificate Authorities with this record now. To setup a CAA Record you can use this tool from SSLMate.

First, enter your domain and click “Empty Policy”

Then, select which Certificate Authorities you want to allow to issue SSL Certificates for your domain:

Once you have selected the Certificate Authorities you want, scroll to the bottom and it provides the CAA Record in multiple formats for multiple different DNS types. If you are not sure which format you need, please reach out to your DNS provider for more help.

NOTE: When ordering an SSL from WP Engine we offer SSL certificates through Let’s Encrypt or RapidSSL, so be sure you select one of these Certificate Authorities when creating your CAA record.  Let’s Encrypt SSL certificates are for one domain (non-Wildcard), and RapidSSL certificates are specifically for Wildcard domains.

What do I do if my DNS provider does not support CAA Records?

If your DNS provider does not allow the query of a CAA or the creation of a CAA, you will need to move to another DNS host in order to use an SSL certificate on your site. Cloudflare is a recommended option, but you can use the list of DNS providers who support CAA records for guidance as well.

NEXT STEP: Learn how to add an SSL to your website

Enterprise-grade security and performance for all

Global Edge Security provides a managed web application firewall (WAF), advanced DDOS mitigation, CDN, and automatic SSL installation all powered by Cloudflare.

Get the add-on

Talk to a specialist