Skip to main content

Edit a domain's CAA resource record

Authorize DigiCert to issue certificates for your domain

Are you using DNS Certification Authority Authorization (CAA) resource records (RRs) to authorize CAs to issue certificates for your domains? Do you need to authorize DigiCert to issue certificates for your domains?

If you answered yes to both questions, use these instructions to authorize DigiCert to issue certificates for your domains.

Update the domain’s DNS CAA record to include a CAA record for “digicert.com”

  1. Open the CAA DNS zone file.

    Contact your domain registrar for more detailed information on accessing and editing DNS records on your domains.

  2. In the file, under $ORIGIN yourdomain, add the following lines as needed:

    • "issue” property tag only

      If only using the “issue” property tags, this single CAA RR applies to all hosts and subdomains under your domain, including www.yourdomain, shop.yourdomain, *.yourdomain, *.shop.yourdomain, etc.

      Example 1. "issue"
      $ORIGIN yourdomain.com. 
      . CAA 0 issue "digicert.com"

    • “issue” and “issuewild” property tags

      If using the “issue” and “issuewild” property tags, this CAA RR applies to all hosts and subdomains under your domain, including www.yourdomain, shop.yourdomain, *.yourdomain, *.shop.yourdomain, etc.

      Example 2. "issue" and "issuewild"
      $ORIGIN yourdomain.com
      . CAA 0 issue "digicert.com"
      . CAA 0 issuewild “digicert.com”

  3. Complete the CAA RR check

    Contact DigiCert Support to complete the certificate CAA RR check for the domain.