Network Diagnostic Tools

CAA Lookup

Which CAs may issue certificates

What is a CAA record?

A CAA (Certification Authority Authorization) record lets a domain declare which certificate authorities may issue certificates for it. CAs are required by the CA/Browser Forum to honour these records, so they reduce the risk of mis-issuance — a CA wrongly issuing a certificate for your domain. CAA is a simple, powerful guardrail for your TLS certificates.

How CAA records work

A CAA record names an allowed certificate authority by its domain. Before issuing, a compliant CA checks the CAA records for your domain; if records exist and none list that CA, it must refuse. The record has three parts: a flag, a tag and a value. The common tags are issue (authorizes a CA to issue standard certificates), issuewild (controls wildcard certificates specifically), and iodef (a URL or mailto where CAs report policy violations). For example, issue "letsencrypt.org" permits only Let's Encrypt to issue.

How to read your CAA lookup results

IPeek lists the CAA records on the domain, each with its tag and value. Read the issue tags to see which CAs are authorized — a value like "letsencrypt.org" or "digicert.com" names the permitted authority. An issuewild tag restricts who may issue wildcard certificates. An issue value of ";" (semicolon) means no CA is authorized at all. If the domain has no CAA records, any public CA may issue, which is the permissive default. Check that the CAs listed match the providers you actually use for certificates.

Why CAA records improve certificate security

Without CAA, any of dozens of public certificate authorities can issue a certificate for your domain, so a single compromised or tricked CA is enough for an attacker to obtain a valid certificate. CAA narrows that attack surface to only the CAs you name. Because the CA/Browser Forum mandates that CAs check CAA before issuing, the protection is enforced industry-wide. Add the iodef tag and authorized CAs can notify you of attempted policy violations, giving early warning of someone trying to obtain a certificate they should not.

Frequently asked questions

What happens if a domain has no CAA record?

With no CAA record, any publicly trusted certificate authority is allowed to issue certificates for the domain — the permissive default. Adding CAA records restricts issuance to only the CAs you list. If you care which authorities can certify your domain, publish CAA records; otherwise issuance stays open to all compliant CAs.

What are the issue, issuewild and iodef tags?

These are the three standard CAA tags. issue authorizes a named CA to issue regular certificates, issuewild specifically controls wildcard certificate issuance, and iodef gives a URL or mailto address where CAs report attempted policy violations. Using issue plus iodef both restricts who can certify your domain and alerts you to violations.

Do certificate authorities have to obey CAA records?

Yes. Under CA/Browser Forum rules, publicly trusted CAs are required to check a domain's CAA records before issuing and must refuse if the records do not authorize them. This makes CAA an enforced control rather than a suggestion. It does not stop an already-issued certificate, but it blocks new mis-issuance by compliant authorities.

How do I allow more than one certificate authority?

Publish a separate CAA issue record for each authority you want to permit. For example, one record with issue "letsencrypt.org" and another with issue "digicert.com" authorizes both. CAs check whether any record names them, so multiple issue records simply widen the set of allowed authorities while still excluding everyone else.

Can CAA records control wildcard certificates separately?

Yes, that is what the issuewild tag is for. issuewild governs who may issue wildcard certificates (like *.example.com), overriding the plain issue tag for wildcards. You might allow a CA to issue regular certificates but restrict or forbid wildcards, or vice versa, by combining issue and issuewild records appropriately.

Related tools

Deutsch | English | Español | Français | Italiano | Português | Русский | Українська | 日本語 | 简体中文 | 한국어