What’s a CAA resource record?

The Certification Authority Authorization, or CAA resource record is a proposal to improve the strength of the PKI ecosystem. It controls which CAs can issue certificates for a particular domain name, and so far there have only been a couple hundred sites adopting it. But not for much longer. According to CAB Forum’s mandate, certificate authorities now have to check CAA records following the procedure laid out in RFC 6844 when issuing SSL/TLS certificates. This was required as of Sept. 8th, 2017. But if you want the tl;dr version, we’ve summed it up for you right here.

CAA Records and Plesk

  1. You can list the CAs that are allowed to issue certificates for your domain in a CAA record.
  2. You don’t have to add CAA records for your domains. An absence of a CAA record means that any CA can issue certificates for the domain.
  3. Plesk supports CAA records starting from the Plesk Onyx 17.8 preview. We have no plans to backport this feature to earlier Plesk versions.

Limitations for CAA Records

  • Some DNS servers/services do not support CAA records.
  • If you want to allow several CAs to issue SSL/TLS certificates for your domain, you need to add multiple CAA records – one record per CA.
  • You can also add CAA records to the Server DNS Template.

How to make Let’s Encrypt your main CA

You can set Let’s Encrypt as the only CA allowed to issue SSL/TLS certificates for your domain in Plesk. The Let’s Encrypt community post has also got this one covered. Have a look at the process below:

Add CAA Record
CAA record addition procedure

For more information you can have a look at the CAA documentation on Let’s Encrypt or Qualys’ article on the matter. And if you have any questions, please feel free to contact us here or on our forum – we’ll be happy to lend a hand.

3 Comments

  1. Another limitation of CAA is that you can’t set them on a domain that is specified by a CNAME record. You can only set it on the parent domain and ‘hope’ that the referred domain doesn’t overrule it.

  2. Hello Is it possible to install SSL certificate to plesk server, free of charge? I have a server with some sites that I do not want to invest in an SSL certificate

Add a Comment

Your email address will not be published. Required fields are marked *

GET LATEST NEWS AND TIPS

  • Yes, please, I agree to receiving my personal Plesk Newsletter! WebPros International GmbH and other WebPros group companies may store and process the data I provide for the purpose of delivering the newsletter according to the WebPros Privacy Policy. In order to tailor its offerings to me, Plesk may further use additional information like usage and behavior data (Profiling). I can unsubscribe from the newsletter at any time by sending an email to [email protected] or use the unsubscribe link in any of the newsletters.

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden

Related Posts

Knowledge Base