CAA stops unauthorized CAs from issuing certificates for your domain. I use Let’s Encrypt, and Cloudflare uses the other three in my example.
Their DV warning is ridiculous. No visitor is going to know the difference between an OV and a DV certificate. The communication with either type of certificate is just as secure.
That being said, I pay the $5 per month for the dedicated SSL certificate here because I don’t like it being a multi-domain certificate. I honestly hadn’t realized it was an OV certificate until I ran that rapidssl test just now.
In any case, you can’t use your own SSL certificate unless you’re on a Business or Enterprise plan. I recommend CAA for anybody who wants to lock down certificate issuance for their domain.
I believe these two steps will be your best bet:
- Pay that $5/month for the Cloudflare Dedicated SSL certificate. That will get rid of that DV warning.
- Add the CAA records from my example.