<!DOCTYPE html> <html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><title>CAA Record Generator</title><meta name="robots" content="noarchive"><link rel="icon" type="image/png" href="https://sslmate.com/assets/img/favicon.png"><link rel="stylesheet" type="text/css" href="style.css"> <script type="text/javascript" src="generator.js"></script> <script type="text/javascript"> document.addEventListener('DOMContentLoaded', function() { init_caa_generator(document.body.dataset.sslmateDomain, document.getElementById('generator_form'), document.getElementById('ca_table'), document.getElementById('caa_output_zonefile'), document.getElementById('caa_output_rfc3597'), document.getElementById('caa_output_tinydns'), document.getElementById('caa_output_dnsmasq'), document.getElementById('caa_output_generic'), document.getElementById('certspotter_link')); }); </script> </head><body data-sslmate-domain="sslmate.com"><a id="github_ribbon" href="https://github.com/SSLMate/caa_helper"></a><div id="root"><div id="masthead"><h1>CAA Record Helper</h1><p class="by">By <a href="https://sslmate.com">SSLMate</a></p><ul class="nav"><li><a href=".">Generate CAA Record</a></li> <li><a href="support">Who Supports CAA?</a></li> <li><a href="about">About CAA</a></li></ul></div> <div class="generator"> <form id="generator_form"> <div class="overview"> <p> Over a hundred certificate authorities (CAs) have the power to issue certificates which vouch for the identity of your website. Certificate Authority Authorization (CAA) is a way for you to restrict issuance to the CAs you actually use so you can reduce your risk from security vulnerabilities in all the others. Setting up CAA is an easy way to improve your website's security. <a href="about">Learn More</a> </p> </div> <div class="section"> <h2>1. Enter Your Domain Name</h2> <p> <label for="domain_input">Domain name: </label><input id="domain_input" type="text" name="domain" size="30"> </p> </div> <div class="section"> <h2>2. Choose an Initial Policy</h2> <table class="policy_selection"> <tr> <td><button type="button" name="empty_policy">Empty Policy</button></td> <td>You'll start with an empty policy that prohibits all CAs.</td> </tr> <tr> <td><button type="button" name="use_sslmate_policy">SSLMate Policy</button></td> <td>Your policy will allow only the CAs used by <a href="https://sslmate.com">SSLMate</a>.</td> </tr> <tr> <td><button type="button" name="autogenerate_policy">Auto-Generate Policy</button></td> <td>We'll use <a href="https://www.certificate-transparency.org/">Certificate Transparency</a> to see which CAs you're currently using.</td> </tr> <tr> <td><button type="button" name="load_policy">Load Current Policy</button></td> <td>We'll load your existing CAA record set so you can make adjustments.</td> </tr> </table> </div> <div class="section"> <h2>3. Select Authorized Certificate Authorities</h2> <p class="instructions"> Check off the certificate authorities which you authorize to issue certificates for your domain. You can separately authorize the issuance of wildcard and non-wildcard certificates. </p> <div class="ca_selector"> <p> <label for="ca_filter_input">Filter by CA name: </label> <input id="ca_filter_input" type="text" name="ca_filter" value="" size="40"> <button type="button" name="clear_ca_filter" class="link">Clear Filter</button> </p> <table id="ca_table"> <thead> <tr> <td class="name_col"></td> <td class="type_col" colspan="2">Type of certificate</td> </tr> <tr> <td class="name_col"></td> <th class="nonwild_col">Non-Wildcard</th> <th class="wild_col">Wildcard</th> </tr> </thead> <tbody> </tbody> </table> </div> </div> <div class="section"> <h2>4. Incident Reporting (Optional)</h2> <p class="instructions"> You can specify an email address or URL for reporting certificate requests or issued certificates that violate your CAA policy. Reports will be provided in <a href="https://tools.ietf.org/html/rfc5070">iodef</a> format. </p> <p> <label for="iodef_input">Email address or URL: </label><input id="iodef_input" type="text" name="iodef" size="40"> </p> </div> <div class="section"> <h2>5. Publish Your CAA Policy</h2> <p class="instructions"> Add the following CAA records to your domain's DNS. Your DNS must be hosted with a <a href="support">service that supports CAA</a>. </p> <div class="output"> <div> <h3>Generic</h3> <p class="software">For Google Cloud DNS, Route 53, DNSimple, and other hosted DNS services</p> <table> <thead> <th>Name</th> <th>Type</th> <th>Value</th> </thead> <tbody id="caa_output_generic"></tbody> </table> </div> <div> <h3>Standard Zone File</h3> <p class="software">For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0</p> <pre id="caa_output_zonefile"></pre> </div> <div> <h3>Legacy Zone File (<a href="https://tools.ietf.org/html/rfc3597">RFC 3597</a> Syntax)</h3> <p class="software">For BIND &lt;9.9.6, NSD &lt;4.0.1, Windows Server 2016</p> <pre id="caa_output_rfc3597"></pre> </div> <div> <h3>tinydns</h3> <p class="software"></p> <pre id="caa_output_tinydns"></pre> </div> <div> <h3>dnsmasq</h3> <p class="software"></p> <pre id="caa_output_dnsmasq"></pre> </div> </div> </div> <div class="section"> <h2>5. Monitor Your Domain (Optional)</h2> <p class="instructions"> Even if you publish a CAA record, a noncompliant certificate authority can ignore your CAA records. Use <a href="https://sslmate.com/certspotter" id="certspotter_link">Cert Spotter</a> to monitor Certificate Transparency logs so you'll be notified if this happens. </p> </div> </form> </div> <div id="footer"><p>© 2022 Opsmate, Inc.</p></div></div></body></html>