π Overview
This article explains CAA (Certificate Authority Authorization) records, their importance in SSL certificate issuance, and why they are critical for AWS Certificate Manager (ACM) certificates when using Cloudflare. It also provides step-by-step instructions to add the required CAA records in Cloudflare and highlights how this interacts with ASP-hosted sites.
π What are CAA Records?
CAA (Certificate Authority Authorization) records are DNS records that specify which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain.
Key points about CAA records:
They enhance security by preventing unauthorized certificate issuance.
Any CA must check your domain's CAA records before issuing or renewing a certificate.
If a CA is not explicitly authorized in a CAA record, it cannot issue certificates for that domain.
β οΈ Why CAA Records Matter for AWS SSL Certificates
When using AWS Certificate Manager (ACM) to issue SSL certificates:
ACM acts as the Certificate Authority for your domain.
If your domain has CAA records that do not authorize Amazon, ACM cannot issue or renew the certificate.
-
This can result in:
Failed automatic renewals
Expired certificates
TLS handshake failures when using Cloudflare in Full (Strict) mode
Potential website downtime
In short: Without the correct CAA records, AWS-issued SSL certificates may silently fail to renew, causing outages even if Cloudflareβs own certificates are valid.
π’ ASP Hosted Sites β Automatic SSL
For all ASP-hosted sites:
AWS-approved SSL certificates are automatically applied when a site goes live.
ASP provides a CNAME record for any new domain, which enables the certificate to be applied.
Certificates automatically renew as long as the provided CNAME record remains in the DNS console.
Important:
If your organization adds Cloudflare to your internal setup:
It is highly likely that CAA records will also need to be added to ensure automatic certificate renewal continues.
Failure to do this can result in the SSL certificate expiring, and the website being inaccessible until the CAA records are added and approved.
ASP does not have access to your Cloudflare accounts, so CAA records must be managed by your internal team or DNS administrator.
π Required CAA Records for AWS Certificates
To ensure ACM can issue and renew certificates successfully, the following CAA records should exist for your domain:
| Record | Type | Name | Flag | Tag | Value | TTL | Notes |
|---|---|---|---|---|---|---|---|
| 1 | CAA | @ | 0 | issue | amazon.com | Auto | Authorizes ACM to issue SSL certificates |
| 2 | CAA | @ | 0 | issue | amazontrust.com | Auto | Authorizes Amazon Trust Services for issuance and renewal |
π οΈ Step-by-Step: Adding CAA Records in Cloudflare
-
Log in to Cloudflare
Navigate to https://dash.cloudflare.com
Select your domain.
-
Open DNS settings
Click DNS in the left sidebar.
Stay on the Records tab.
-
Add the required CAA records
Click Add record and create the following:
| Type | Name | Flag | Tag | Value | TTL |
|---|---|---|---|---|---|
| CAA | @ | 0 | issue | amazon.com | Auto |
| CAA | @ | 0 | issue | amazontrust.com | Auto |
-
Verify the CAA records
-
From a terminal or command prompt:
dig CAA yourdomain.com You should see amazon.com and amazontrust.com listed.
-
-
Check AWS Certificate Manager
Open ACM in the AWS console.
Verify the certificate status is Issued or Pending validation.
If expired, request a new certificate.
β Key Takeaways
CAA records do not revoke existing certificates, but they can block issuance or renewal.
Without the correct CAA records, AWS SSL certificates may fail to renew, causing downtime in Full (Strict) Cloudflare configurations.
Always include
amazon.comandamazontrust.comin CAA records for domains using ACM.For ASP-hosted sites, SSL is automatically applied via a provided CNAME record. If Cloudflare is added to the setup, CAA records must be manually added and managed, as ASP cannot access your Cloudflare account.
Failure to manage CAA records correctly can lead to SSL expiration and inaccessible websites until the records are added and approved.
Comments
0 comments
Please sign in to leave a comment.