DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Domain Locking

Solution ID : AL210322144302
Last Modified : 10/21/2023


Update your CAA resource record to lock a domain

To lock a domain so only your CertCentral account members can get certificates for it:

  1. Create a Certification Authority Authorization (CAA) resource record for your domain.
  2. Authorize DigiCert to issue certificates for your domain.
  3. Add the random value from your CertCentral account.

For more information about DNS CAA resource records, see DNS CAA resource record check. For information on how to use domain lock, see Lock a domain.

Update the CAA resource record

Registrars have different methods to let you update CAA resource records.

These instructions present some of the settings required to enable locks. Note that you may need to contact your domain's registrar for registrar-specific information about how to access and edit DNS resource records. 

  1. Create or open the CAA resource record.
  2. Populate the resource record with the following info:
    • Type: CAA
    • Name: @
    • Flags: 0
    • Tag: issue
    • Value: digicert.com; account=fce9431ca2df7ae0d25a6de09587fdc1ff1616e7187655a18eb72723a0b85c86
      • digicert.com is the value for the CA that you authorize to issue certificates for your domain.
      • fce9431ca2df7ae0d25a6de09587fdc1ff1616e7187655a18eb72723a0b85c86 is the DigiCert generated random value from your CertCentral account.
      • "account=" must be included in front of the random value.
  3. Save the updated record.