The CAA record may block certificate issuance

CAA stands for DNS record type. In the DNS zone of your domain, it determines which certification authority can issue a certificate for it. It is used to prevent a fake certificate being issued by an authority other than the one you have chosen. However, this tool often prevents our customers from issuing a certificate from DigiCert, so we will show you how to deal with this situation.

Why a CAA record is used

If an "unqualified" CA receives a certificate order for your domain, it should first authorize it with the domain owner under the CAA. It should definitely not issue a certificate automatically. All CAs in the world must now respect the CAA record, and the domain owner, therefore, has a powerful tool to protect it. However, the CAA record often prevents our customers from issuing a certificate from DigiCert and they do not even know about it. So we will show you how to deal with this.

What to do if the certificate cannot be issued

If the domain, or even the company, in the certificate is verified, then in most cases the only thing preventing the issue of certificates is the CAA record in the DNS. You can easily check the certificate verification status in your customer administration, but the CAA record is solely your responsibility. You need to check the authenticated domain’s DNS records; however, editing can only be performed by a person with access to the domain’s DNS records.

Check the CAA records in DNS

Open any DNS checker - such as Google Dig, or use dig in the command line. Check for CAA records with the verified domain - for Google Dig, enter a name in the Name field and click on the CAA type.

You will see the result immediately - either a CAA record is set for the domain and you will see it in the box together with its validity (TTL), or the answer will be ‘Record not found!’ (i.e., there is no CAA record and therefore cannot block the release).

Here is an example of a collision - only one foreign CA is listed for the domain below, which means that DigiCert cannot issue a certificate for that domain. ;; ANSWER SECTION:
domain.com 600 IN CAA 1 issue "letsencrypt.org"

Edit or delete the CAA record

If there is a conflicting CAA record in the domain in the DNS, then it is necessary to modify the domain’s DNS zone. You do this with your domain’s registrar or administrator, we do not have access to DNS.

In the event of a collision, you have two options - either add a CAA record for digicert.com, which works for all CAs in our offer, or delete the collision record. In our case, CAA domain records could look like this: ;; ANSWER SECTION:
domain.com 600 IN CAA 1 issue "letsencrypt.org"
domain.com 600 IN CAA 1 issue "digicert.com"

After modifying this, the certificate will be issued automatically with no problem, because the change will typically take effect within an hour and DigiCert will load it. Otherwise, contact our support.

Has this article been useful?