The Certification Authority Authorization, or CAA resource record is a proposal to improve the strength of the PKI ecosystem. It controls which CAs can issue certificates for a particular domain name, and so far there have only been a couple hundred sites adopting it. But not for much longer. According to CAB Forum’s mandate, certificate authorities now have to check CAA records following the procedure laid out in RFC 6844 when issuing SSL/TLS certificates. This was required as of Sept. 8th, 2017. But if you want the tl;dr version, we’ve summed it up for you right here.
CAA Records and Plesk
- You can list the CAs that are allowed to issue certificates for your domain in a CAA record.
- You don’t have to add CAA records for your domains. An absence of a CAA record means that any CA can issue certificates for the domain.
- Plesk supports CAA records starting from the Plesk Onyx 17.8 preview. We have no plans to backport this feature to earlier Plesk versions.
Limitations for CAA Records
- Some DNS servers/services do not support CAA records.
- If you want to allow several CAs to issue SSL/TLS certificates for your domain, you need to add multiple CAA records – one record per CA.
- You can also add CAA records to the Server DNS Template.
How to make Let’s Encrypt your main CA
You can set Let’s Encrypt as the only CA allowed to issue SSL/TLS certificates for your domain in Plesk. The Let’s Encrypt community post has also got this one covered. Have a look at the process below:
For more information you can have a look at the CAA documentation on Let’s Encrypt or Qualys’ article on the matter. And if you have any questions, please feel free to contact us here or on our forum – we’ll be happy to lend a hand.
3 Comments
Another limitation of CAA is that you can’t set them on a domain that is specified by a CNAME record. You can only set it on the parent domain and ‘hope’ that the referred domain doesn’t overrule it.
Hello Is it possible to install SSL certificate to plesk server, free of charge? I have a server with some sites that I do not want to invest in an SSL certificate
Hello! Yes it is possible, please consult this page for more information on free SSL certificates: > https://docs.plesk.com/en-US/obsidian/administrator-guide/plesk-extensions/let’s-encrypt.78749/ .
You can also take a look at certificates from trusted authorities here: > https://docs.plesk.com/en-US/obsidian/administrator-guide/website-management/websites-and-domains/advanced-website-security/securing-connections-with-ssltls-certificates/securing-connections-with-the-ssl-it!-extension.80001/ . Thanks for your question!