Manage DNS CAA records
Notice
As of March 13, 2025, DigiCert checks CAA resource records before issuing secure email (S/MIME) certificates. Confirm your email domain's CAA records authorize DigiCert to issue S/MIME certificates before submitting secure email certificate requests.
Review and update DNS Certification Authority Authorization (CAA) records to control which certificate authorities can issue certificates for your domains. CAA records prevent unauthorized certificate authorities from issuing certificates for your domains.
How CAA records work
Before issuing a TLS/SSL or secure email (S/MIME) certificate, DigiCert checks the domain's CAA records to confirm it is authorized to issue that certificate type. DigiCert can issue a certificate if one of the following conditions is true:
No CAA record exists for the domain. Any certificate authority can issue certificates
A CAA record exists that explicitly authorizes DigiCert
If a CAA record exists that does not authorize DigiCert, certificate issuance fails.
Add DigiCert to your DNS CAA record
To authorize DigiCert to issue TLS/SSL certificates for your domain, add the following CAA record at your DNS provider:
yourdomain CAA 0 issue "digicert.com"
To authorize DigiCert to issue S/MIME certificates for your email domain, add the following CAA record:
yourdomain CAA 0 issuemail "digicert.com"
Review CAA record status in CertCentral
For Enterprise, Partner, and Legacy accounts:
In the CertCentral main menu, go to Certificates > Domains.
Select the domain to open the domain details page.
Review the DNS CAA record status.
For Subscription accounts:
In the CertCentral main menu, go to Validation > Domains.
Select the domain to open the domain details page.
Review the DNS CAA record status.
If a CAA record restricts certificate issuance, update the DNS CAA record at your DNS provider to authorize DigiCert. Allow time for DNS propagation to complete before retrying certificate issuance.