Configure CAA Records to Authorize SSL.com

How to authorize SSL.com via CAA Records

SSL.com is a Certificate Authority (CA) with trusted roots in many browsers and devices.  As a customer you may be concerned about which CAs can issue certificates for your domains. However, there are industry regulations in place to insure that customers can decide which Certificate Authorities are authorized to issue certificates for their websites and devices.  These restrictions are configured via CAA record(s) in the DNS Zone for the domain.

All Certificate Authorities are now required to check for Certificate Authority Authorization (CAA) records prior to issuing a server certificate. Therefore, you should add CAA records that allow SSL.com to issue certificates to your DNS zone. You can use the following examples as templates for your actual entries. (Of course, you would replace example.com with your own domain name.)

Authorize SSL.com to issue certificates for example.com (and any subdomains, including wildcards):

example.com. 3600 IN CAA 0 issue "ssl.com"
example.com. 3600 IN CAA 0 issuewild "ssl.com"

Authorize SSL.com to issue certificates for example.com (and all subdomains except for the wildcard *.example.com):

example.com. 3600 IN CAA 0 issue "ssl.com"
example.com. 3600 IN CAA 0 issuewild ";"

Authorize SSL.com to issue certificates for subdomain.example.com ONLY (no wildcards or certificates for the main domain).

subdomain.example.com. 3600 IN CAA 0 issue "ssl.com"
example.com. 3600 IN CAA 0 issuewild ";"
example.com. 3600 IN CAA 0 issue ";"

To receive a report by email when a request to issue a SSL/TLS certificate for your site is received:

example.com. 3600 IN CAA 0 iodef "mailto:security@example.com"

(Of course, you should replace security@example.com with your actual email address.)