Edit a domain's CAA resource record

Authorize DigiCert to issue TLS and Secure Email (S/MIME) certificates for your domain

Are you using DNS Certification Authority Authorization (CAA) resource records to authorize CAs to issue certificates for your domains? Do you need to authorize DigiCert to issue certificates for your domains?

If you answered yes to both questions, use these instructions to authorize DigiCert to issue certificates for your domains.

Update the domain’s DNS CAA record to include a CAA record for “digicert.com”

Open the CAA DNS zone file.
Contact your domain registrar for more detailed information on accessing and editing DNS records on your domains.
In the file, under $ORIGIN yourdomain, add the following lines as needed:
- TLS: "issue” property tag only
  If only using the “issue” property tags, this single CAA record applies to all hosts and subdomains under your domain, including www.yourdomain, shop.yourdomain, *.yourdomain, *.shop.yourdomain, and so on.
  Example 1. "issue"
  $ORIGIN yourdomain.com. . CAA 0 issue "digicert.com"
- TLS: “issue” and “issuewild” property tags
  If using the “issue” and “issuewild” property tags, this CAA record applies to all hosts and subdomains under your domain, including www.yourdomain, shop.yourdomain, *.yourdomain, *.shop.yourdomain, and so on
  Example 2. "issue" and "issuewild"
  $ORIGIN yourdomain.com . CAA 0 issue "digicert.com" . CAA 0 issuewild “digicert.com”
- S/MIME: "issuemail" property tag
  If using the "issuemail" property tag, this single CAA record applies to all hosts and subdomains under yourdomain, including www.yourdomain, mailbox.yourdomain, and so on.
  Example 3. "issuemail"
  $ORIGIN yourdomain.com . CAA 0 issuemail "digicert.com"
Complete the CAA record check
Contact DigiCert Support to complete the certificate CAA record check for the domain.