Remove CAA Records without Disabling Universal SSL

Our account uses Universal SSL for a wildcard cert (*, but we need to provision our own SSL certificate and will manage it ourselves. Because the Cloudflare Universal SSL feature automatically creates CAA records, we cannot create a new wildcard cert for our domain. To prevent downtime, we’d like to remove the CAA records without disabling Universal SSL, but those records are not available in the DNS dashboard in Cloudflare’s console.

While we can temporarily disable Universal SSL, it breaks the site and takes time for the CAA record cache to expire.

Is there a way for us to remove the CAA records while leaving Universal SSL on so we can create our new certificate? We are eventually going to remove Universal SSL.

CAA records are added automatically in two cases.

  1. You have added any CAA record, such as a reporting email address. In this case, Cloudflare will add the needed CAA records to authorise the Universal SSL Certs to be issued.
  2. You have enabled Amp Real URL, as they are required to issue the needed certificates.

What is the Certificate Authority you are going to use? The easiest solution would be to create the needed CAA record to authorise that CA.


Thank you, it was Amp Real URL that we had to disable.

Glad it’s sorted.

Is there a reason you don’t want to authorise your other CA using an appropriate CAA record? Every member of the CA/B Forum support CAA records.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.