Skip to content
Good Roots Work docs Main site Open CAA tool
Good Roots Work Documentation

Known Certificate Authorities

Known Certificate Authorities

Section titled “Known Certificate Authorities”

This page provides a comprehensive list of Certificate Authorities (CAs) that are recognized by our platform, along with their CAA identifiers for use in CAA records.

Major Commercial CAs

Section titled “Major Commercial CAs”

DigiCert

Section titled “DigiCert”
  • CAA Identifier: digicert.com
  • Website: https://www.digicert.com/
  • Services: SSL/TLS certificates, code signing, document signing
  • CAA Record Example: 0 issue "digicert.com"

Sectigo (formerly Comodo)

Section titled “Sectigo (formerly Comodo)”
  • CAA Identifier: sectigo.com
  • Website: https://sectigo.com/
  • Services: SSL/TLS certificates, code signing, document signing
  • CAA Record Example: 0 issue "sectigo.com"

GlobalSign

Section titled “GlobalSign”
  • CAA Identifier: globalsign.com
  • Website: https://www.globalsign.com/
  • Services: SSL/TLS certificates, code signing, document signing
  • CAA Record Example: 0 issue "globalsign.com"

Entrust

Section titled “Entrust”
  • CAA Identifier: entrust.net
  • Website: https://www.entrust.com/
  • Services: SSL/TLS certificates, code signing, document signing
  • CAA Record Example: 0 issue "entrust.net"

Free Certificate Authorities

Section titled “Free Certificate Authorities”

Let’s Encrypt

Section titled “Let’s Encrypt”
  • CAA Identifier: letsencrypt.org
  • Website: https://letsencrypt.org/
  • Services: Free SSL/TLS certificates
  • CAA Record Example: 0 issue "letsencrypt.org"

ZeroSSL

Section titled “ZeroSSL”
  • CAA Identifier: zerossl.com
  • Website: https://zerossl.com/
  • Services: Free SSL/TLS certificates
  • CAA Record Example: 0 issue "zerossl.com"

Cloud Provider CAs

Section titled “Cloud Provider CAs”

Amazon Web Services (AWS)

Section titled “Amazon Web Services (AWS)”
  • CAA Identifier: amazon.com
  • Website: https://aws.amazon.com/
  • Services: SSL/TLS certificates through AWS Certificate Manager
  • CAA Record Example: 0 issue "amazon.com"

Google Cloud Platform

Section titled “Google Cloud Platform”
  • CAA Identifier: pki.goog
  • Website: https://cloud.google.com/
  • Services: SSL/TLS certificates through Google Cloud
  • CAA Record Example: 0 issue "pki.goog"

Microsoft Azure

Section titled “Microsoft Azure”
  • CAA Identifier: digicert.com (managed by DigiCert)
  • Website: https://azure.microsoft.com/
  • Services: SSL/TLS certificates through Azure
  • CAA Record Example: 0 issue "digicert.com"

Cloudflare

Section titled “Cloudflare”
  • CAA Identifier: cloudflare.com
  • Website: https://www.cloudflare.com/
  • Services: SSL/TLS certificates through Cloudflare
  • CAA Record Example: 0 issue "cloudflare.com"

Regional CAs

Section titled “Regional CAs”

Asia-Pacific

Section titled “Asia-Pacific”
  • Certum: certum.pl
  • Actalis: actalis.com
  • TrustAsia: trustasia.com

Europe

Section titled “Europe”
  • QuoVadis: quovadisglobal.com
  • SwissSign: swisssign.com
  • Buypass: buypass.no

North America

Section titled “North America”
  • GoDaddy: godaddy.com
  • Network Solutions: netsolssl.com
  • RapidSSL: rapidssl.com

Using CAA Records

Section titled “Using CAA Records”

Basic CAA Record

Section titled “Basic CAA Record”

To allow only specific CAs to issue certificates:

example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "digicert.com"

Wildcard Certificates

Section titled “Wildcard Certificates”

To control wildcard certificate issuance:

example.com. IN CAA 0 issuewild "letsencrypt.org"

Violation Reporting

Section titled “Violation Reporting”

To receive reports of CAA violations:

example.com. IN CAA 0 iodef "mailto:security@example.com"

Critical Flags

Section titled “Critical Flags”

To make CAA records critical (CAs must understand them):

example.com. IN CAA 128 issue "letsencrypt.org"

CAA Record Validation

Section titled “CAA Record Validation”

Our platform validates CAA records to ensure they are properly formatted and will work as expected. Common validation checks include:

  • Proper DNS record format
  • Valid CAA tag values
  • Correct flag values
  • Proper value formatting
  • Duplicate record detection

Updating CAA Records

Section titled “Updating CAA Records”

When updating CAA records:

  1. Plan Changes: Document what changes you’re making and why
  2. Test First: Test changes in a staging environment if possible
  3. Update DNS: Make the changes in your DNS management system
  4. Verify: Use our tools to verify the records are working correctly
  5. Monitor: Watch for any issues with certificate issuance

Troubleshooting

Section titled “Troubleshooting”

Common Issues

Section titled “Common Issues”
  • Invalid CAA Format: Check the record format and syntax
  • Missing CAA Records: Ensure CAA records are properly configured
  • CA Not Recognized: Verify the CA identifier is correct
  • DNS Propagation: Allow time for DNS changes to propagate

Getting Help

Section titled “Getting Help”
  • Use our CAA Management tool to validate records
  • Check the DNS propagation status
  • Contact support if you need assistance
Section titled “Related Topics”