What CAA records to authorize Cloudflare to issue certs?

We host a website through the DigitalOcean app platform, which uses Cloudflare. We’re adding CAA records to our domains to lock down who can get certs.

What CAA records to I need to add to permit Cloudflare to get the certs it needs for our website? Searching I see some indications that Cloudflare rotates through a number of different CAs when issuing certs, but I can’t find an authoritative list, or what those CAs want to be called in CAA records.

It should be these for Universal SSL. These should be added automatically if you’re using Cloudflare for DNS though.


example.com. IN CAA 0 issue "comodoca.com"
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issuewild "comodoca.com"
example.com. IN CAA 0 issuewild "digicert.com"
example.com. IN CAA 0 issuewild "letsencrypt.org"

https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ

If you’re using Cloudflare for SaaS then it should be:

example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issue "letsencrypt.org"

https://developers.cloudflare.com/ssl/ssl-for-saas/troubleshooting

4 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.