Search in this section
Page History
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
|
A Certification Authority Authorisation record (CAA) defines the certification authority (CA=Certificate Authority) that is authorized to issue an S/MIME for a domain. This means that no other certification authority can issue an S/MIME for this domain.
| Info | ||
|---|---|---|
| ||
If a CA is to be authorised to issue an S/MIME certificate, a new property tag called ‘issuemail’ can be set. This currently applies to GlobalSign and Sectigo. |
Setting up a CAA record for S/MIME
You can create the CAA records in the DNS settings of the domain.
| Domain | RR-Type | Value |
|---|---|---|
| example.com | CAA | 0 issuemail "globalsign.com" |
The entry in the Value column consists of the following subentries:
Flag: A value between 0-255, used to represent the "critical flag" according to RFC.
Tag: An ASCII string that represents the property. In our case issuemail: Authorizes the CA specified for "value" to issue the certificates.
Example according to BIND syntax:
example.com. 300 IN CAA 0 issuemail "globalsign.com"
example.com. 300 IN CAA 0 issuemail "sectigo.com"
example.com. 300 IN CAA 0 issuemail "digicert.com"
Overview of the valid values for the certification authorities
To grant authorization to a CA and its product lines:
- globalsign.com
- sectigo.com
- digicert.com
Allow multiple CAs to issue certificates
If several CAs are to be authorized to issue certificates, several CAA records can be entered per domain.
| Info |
|---|
Only the CAs named in the CAA records can issue S/MIMEs. |
Overview
Content Tools