Certificate Authority Authorization (CAA) records are DNS records that control which Certificate Authorities (CA) are authorized to issue SSL certificates for your domain.
If your CAA record is empty, then any CA can issue SSL to you.
If your domain has CAA records for certain CAs, then other CAs not specified cannot issue SSL to you.
If CAA records are preventing you from getting SSL from Sectigo, you can either:
- Add a new CAA record for Sectigo, OR
- Remove all CAA records from your domain
The best option may depend on your hosting provider.
Check Your CAA Records
Use an online DNS checker to locate CAA records for your domain name, plus any sub-domains included on a certificate request.
Using WhatsMyDNS for example, select CAA as the record type and search for your domain(s).
If there are no results, your domain does not have any CAA records of its own.
If there are any records for specific CAAs, you can only request SSL from those CA's until you add more (or remove them all).
How to create a CAA record for Comodo (aka Sectigo)
In your DNS record manager, create a new CAA type record.
- Host name: your domain or @
- TTL: lowest possible (typically 30 min)
- Data value: 0 issue "sectigo.com"
When the record is created, use a DNS checker tool to locate and verify it. You should find a result like this:
yourdomain CAA 0 issue "sectigo.com"
Inherited CAA Records
If your domain has a CNAME pointing to a third-party service provider, that provider's CAA records can impact your domain. Inherited CAA records do not appear in your own domain's DNS zone, so it can be tricky to confirm when this happens.
Contact your service provider for more information about CAA record enforcement, as they may require you to get SSL from a small number of approved CAs.