Ask a Question

Advanced Search

Solution ID : SO28342

Last Modified : 05/02/2018

Edit a domain’s CAA DNS record to get Symantec certificates


To get Symantec certificates for your domain, update the CAA DNS Resource Record to state that Symantec is approved to issue certificates for your domain.

The registered domain owner must update the CAA DNS zone file to add Symantec as an approved CA in a CAA DNS record. You can find information about how to access and edit the CAA DNS zone file for the domain by contacting the domain’s registrar.

  1. Open the CAA DNS zone file for editing.
  2. Under $ORIGIN, add the line:  CAA 0 issue “” as follows:
    . CAA 0 issue ""
  3. Sign in to Symantec Trust Center and open the certificate's Order Summary tab to recheck the order's status. If the check succeeds, your order is processed normally.

    Managed PKI for SSL: Contact your Managed PKI for SSL administrator to complete the certificate approval process for the domain.

    Partners: On your certificate's Order Information page in Symantec Partner Center, click Recheck CAA. If the check succeeds, your order is processed normally.

The single CAA record applies to all web servers in your domain, like,,, etc.


Update: With Digicert's acquisition of Symantec Website Security and related PKI solutions, Certification Authority Authorization (CAA) records can now include This authorizes DigiCert to issue DigiCert, Symantec, Thawte, GeoTrust, and RapidSSL certificates for domains that contain such CAA records.

Do you already have a CAA Resource Record authorizing Symantec to issue certificates for ( CAA 0 issue "")? Then, you don’t need to modify your existing CAA RR, nor do you need to create an additional CAA RRs for With that record you authorize DigiCert to issue your Symantec brand certificates for that domain plus all the other DigiCert certificate brands (DigiCert, Thawte, GeoTrust, and RapidSSL).

What is CAA?
Certification Authority Authorization (CAA) allows a website owner to specify the Certificate Authorities that are authorized to issue certificates for that domain or website. For additional details, please see Certification Authority Authorization (CAA)