What’s a CAA resource record?

The Certification Authority Authorization, or CAA resource record is a proposal to improve the strength of the PKI ecosystem. It controls which CAs can issue certificates for a particular domain name, and so far there have only been a couple hundred sites adopting it. But not for much longer. According to CAB Forum’s mandate, certificate authorities now have to check CAA records following the procedure laid out in RFC 6844 when issuing SSL/TLS certificates. This was required as of Sept. 8th, 2017. But if you want the tl;dr version, we’ve summed it up for you right here.

CAA Records and Plesk

  1. You can list the CAs that are allowed to issue certificates for your domain in a CAA record.
  2. You don’t have to add CAA records for your domains. An absence of a CAA record means that any CA can issue certificates for the domain.
  3. Plesk supports CAA records starting from the Plesk Onyx 17.8 preview. We have no plans to backport this feature to earlier Plesk versions.

Limitations for CAA Records

  • Some DNS servers/services do not support CAA records.
  • If you want to allow several CAs to issue SSL/TLS certificates for your domain, you need to add multiple CAA records – one record per CA.
  • You can also add CAA records to the Server DNS Template.

How to make Let’s Encrypt your main CA

You can set Let’s Encrypt as the only CA allowed to issue SSL/TLS certificates for your domain in Plesk. The Let’s Encrypt community post has also got this one covered. Have a look at the process below:

Add CAA Record
CAA record addition procedure

For more information you can have a look at the CAA documentation on Let’s Encrypt or Qualys’ article on the matter. And if you have any questions, please feel free to contact us here or on our forum – we’ll be happy to lend a hand.