A CAA (Certification Authority Authorization) record specifies which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. This guide walks you through adding a CAA record in Plesk.

What is a CAA record?

A CAA record tells certificate authorities: "only the CAs listed here may issue certificates for this domain." If an unlisted CA receives a request, they must refuse it. CAA records are inherited by subdomains unless overridden.

Each CAA record has three parts:

  • Flag — usually 0
  • Tagissue (standard certs), issuewild (wildcard certs), or iodef (violation reports)
  • Value — the CA identifier (e.g. letsencrypt.org, sectigo.com, digicert.com)

Adding a CAA record in Plesk

  1. Log in to Plesk.
  2. Go to Websites & Domains → find your domain.
  3. Click Hosting & DNSDNS Settings.
  4. Click Add Record.
  5. Select CAA as the record type.
  6. Fill in the fields:
    • Domain name — leave blank for the root domain
    • Flag — enter 0
    • Tag — select issue, issuewild, or iodef
    • Value — enter the CA identifier (e.g. letsencrypt.org)
  7. Click OK to save.
  8. If prompted, click Update to apply DNS changes.

Verifying your CAA record

Run dig yourdomain.com CAA or use an online tool like DNSChecker.org. Propagation can take up to 48 hours.

Important notes

  • If you have no CAA records, any CA can issue certificates — this is fine for most sites.
  • If you do add CAA records, include every CA you use — forgetting one blocks renewals.
  • If you use Let's Encrypt via Plesk auto-SSL, always include letsencrypt.org.
  • CAA records don't affect existing certificates — only new issuance and renewals.

Troubleshooting

SSL issuance/renewal fails after adding CAA records:

  • Check your CA is listed. For Let's Encrypt, the value must be letsencrypt.org.
  • Verify with dig yourdomain.com CAA.
  • Make sure the tag is correct — issue for standard, issuewild for wildcard.

CAA not available in the dropdown:

  • You need Plesk Obsidian 18.0 or later. Contact your hosting provider if unavailable.

Record not showing in lookups:

  • Wait for propagation and ensure you clicked Update in Plesk.
  • If using external DNS (e.g. Cloudflare), add the record there instead.

Need help? Contact our support team.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to Add a Domain in Plesk

Adding a domain in Plesk is the first step to hosting a new website. This guide walks you through...
How to Add a Subdomain in Plesk

A subdomain is a third-level domain (e.g., blog.yourdomain.com) that can host a separate section...
How to Add a Domain Alias in Plesk

A domain alias is an alternative domain name that points to the same website as your main domain....
How to Manage DNS Records in Plesk

DNS records tell the internet where to find your website, email, and other services. Plesk...
Understanding DNS Propagation in Plesk

When you add a new domain, change DNS records, or move your website to a new server, the changes...