Enable domain locking
Use domain locking to restrict which CertCentral accounts can issue certificates for your domains. When a domain is locked, only users in your account can order certificates for it.
Before you begin
Domain locking requires a Certification Authority Authorization (CAA) resource record for the domain. If your domain does not have a CAA record, contact your registrar to create one before proceeding. See Manage DNS CAA records.
Enable domain locking for your account
Enable domain locking once at the account level before locking individual domains.
In the CertCentral main menu, go to Settings > Preferences.
On the Preferences page, expand Advanced Settings.
In the Domain lock section, select Enable domain lock for this account.
Select Save Settings.
Domain locking is now active for your account. Proceed to lock individual domains.
Lock a domain
In the CertCentral main menu, go to Certificates > Domains.
Select the domain to lock.
On the domain details page, scroll to the Domain lock section and select the toggle to move it from Disabled to Pending.
Copy the unique verification token.
Go to your registrar and open your domain's CAA resource record.
Add the verification token to the CAA record using the following format:
digicert.com; account=<your-verification-token>
For example:
digicert.com; account=fce9431ca2df7ae0d25a6de09587fdc1ff1616e7187655a18eb72723a0b85c86
Save the updated CAA record.
Return to the domain details page in CertCentral and select Check CAA.
The toggle switches to Enabled when the lock is confirmed. Only users in your account can now order certificates for this domain.
Opmerking
Notice If domain validation expires, the domain reverts from Enabled to Pending. Revalidate the domain to restore the lock. See Revalidate a domain before validation expires. To allow another CertCentral account to order certificates for this domain, add their unique verification token to the same CAA record.