CAA stands for Certification Authority Authorization and it’s a standard that allows you to control which certificate authorities (CAs) are permitted to issue certificates for your domain.
In this article we explain the purpose of a CAA DNS record and how to create one for the purpose of validating your single domain or wildcard SSL Certificate.
What is CAA DNS Record
Using CAA helps reduce the risk of vulnerabilities within certificate authority validation systems while ensuring that your organization’s certificate issuance policies are properly enforced.
Putting it simply, CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names.
All Certificate Authorities were mandated to check CAA DNS records for SSL certificates starting on September 8, 2017. Some providers began enforcing CAA lookups more strictly in recent years, such as Sectigo in 2024.
How to Create a CAA Record
Purchasing a Sectigo SSL Certificate will require creating a CAA DNS record as part of the Domain verification process.
Steps to Create a CAA DNS Record in cPanel
Assuming the nameservers of your domain name point to your cPanel server, proceed as follows to create the CAA record for your domain name. In our example, the domain is lg.netshop.global and we will create a CAA for Wildcard Sectigo SSL certificate.
You may also be interested in these two guides:
- How To Generate CSR (Certificate Signing Request) on Linux Server
- How To Complete SSL Order in myNetShop Portal
Login to cPanel and click Zone Editor.
Then click Manage to access the Zone editor for your domain name.
Click + Add Record and choose Add “CAA” Record from the drop-down menu.
Complete the fields as follows (screenshot below):
- Name: lg.netshop.global. (here it goes your domain name)
- TTL: 14400 (or lower if supported)
- Type: CAA
- Record:
- Issuer Critical Flag: 0
- Tag: issuewild (this is for wildcard certificates. If you are creating a single-domain SSL, then choose issue
- Value: sectigo.com (this value depends on the Certificate Authority issuing your SSL Certificate)
Click Save Record.
Steps to Create a CAA DNS Record in GoDaddy
If your domain is registered with GoDaddy and the nameservers point there then follow these steps.
- Log in to your GoDaddy Domain Control Center.
- Select the domain you wish to add a CAA for to access the Domain Settings page.
- Click the DNS tab
- Click the Add New Record button
- Select CAA as the Record type.
The necessary fields are similar to the cPanel Zone editor, fill them up as follows:
- Name: @ for root domain (e.g. example.com) or www for www.example.com.
- TTL: 1/2 hour (or lowest possible).
- Flags: 0
- Tag: issuewild if you are using this for a wildcard SSL certificate, or issue for single domain SSL.
- Domain: sectigo.com if you are using an SSL issued by Sectigo.
Congratulations! if you’ve followed the above steps then you have successfully create the CAA DNS Record. You will now need to wait for global DNS propagation and then wait for the domain validation to be completed by your SSL certificate issuing provider.
Still Need Help? Get SSL from NetShop ISP in minutes
At NetShop ISP we like to get the job done. No matter if your domain has not been purchased with us, or if the nameservers point somewhere else, we can help customers with an SSL purchased from us.
Once you complete your SSL order, contact our support team via ticket or live chat for further assistance on your SSL Certificate activation.
