CAA Record Generator
Build CAA records that restrict which certificate authorities may issue TLS certificates for your domain — a cheap, low-risk hardening step.
@ IN CAA 0 issue "letsencrypt.org" @ IN CAA 0 issuewild "letsencrypt.org"
Add these to your DNS zone, then verify with the CAA Checker.
What a CAA record does
A CAA (Certification Authority Authorization) record is a DNS entry that names exactly which certificate authorities are allowed to issue TLS certificates for your domain. Any CA is required to check it before issuing — so if an attacker (or a mis-configured service) tries to get a certificate for your domain from a CA you haven’t authorised, issuance is refused. It’s a low-effort, high-value guard against certificate mis-issuance. This generator builds the records for you.
Every option, explained
Certificate authorities
List every CA you actually use — e.g. letsencrypt.org, digicert.com, sectigo.com, pki.goog (Google), amazon.com. This produces an issue tag per CA. Include every CA you rely on (including the one your CDN or host uses behind the scenes) before publishing, or renewals will fail.
Allow wildcard issuance
Off by default. When you use wildcard certificates (*.example.com), enable this to add an issuewildtag; leaving it off restricts wildcards for tighter control. If you don’t use wildcards, keep it off.
Violation reporting (iodef)
An optional mailto: or https: endpoint where CAs report attempted unauthorized issuance — an early warning that someone tried to get a cert for your domain.
Good to know
- CAA affects only new issuance — it won’t touch existing certificates.
- Set it at your apex; subdomains inherit it unless they have their own CAA record.
Related tools
Frequently asked questions
▸ ▾ How do I restrict certificate issuance?
Publish a CAA record naming your certificate authority, e.g. 0 issue "letsencrypt.org". Add iodef to get notified of violation attempts.
▸ ▾ Will a CAA record break my existing certs?
No — it only affects new issuance. Make sure it lists every CA you actually use before you add it.