Overview
You can configure Certificate Authority Authorization (CAA) records in the DNS app of the Cloudflare dashboard.
About Cloudflare Universal SSL
If you enable Cloudflare Universal SSL, Cloudflare automatically adds the required CAA records in your DNS settings, specifying the Universal SSL CA providers, which are: comodoca.com, digicert.com, and globalsign.com.
If you don't have Universal SSL provided by Cloudflare, you can disable it in your Cloudflare Crypto settings. Disabling Universal SSL leaves your Cloudflare-enabled DNS records without SSL support, unless you upload a custom SSL certificate (available for Cloudflare Business plan customers and above).
Configure you CAA records
You need to add a CAA DNS record for each Certificate Authority (CA) that you plan to use for your domain.
To add a CAA record:
1. Log in to the Cloudflare dashboard.
2. Ensure the website you want to update is selected.
3. Click the DNS app.
4. In the DNS Records panel, click the record type dropdown to select CAA.
5. In the Name text box, type your domain.
6. Then in the Click to configure text box, click to enter configuration details.
7. In the Add Record: CAA content dialog, select a Tag: either Only allow specific hostnames or Only allow wildcards, as appropriate. The default tag is Only allow specific hostnames.
8. For Value, enter the CA name.
9. Click OK to close the dialog.
10. Back in the DNS Records panel, verify that the information you entered is correct and then, click Add Record to save your changes.
You can repeat the steps above for each CA to associate with your domain. Once you have finished creating all the records, you can review them in the list of records appearing under the DNS Records panel.
