Verify CAA records for your domain.
CAA (Certificate Authority Authorization) records restrict which certificate authorities (CAs) may issue certificates for your domain. They are stored in DNS and checked by CAs before issuance. This tool looks up CAA records for a domain and shows the tags (issue, issuewild, iodef). Use it to confirm that only your chosen CA(s) can issue, to lock down wildcards, or to debug "CA not allowed" errors. If no CAA records exist, most CAs will still issue; adding CAA improves control and can prevent mis-issuance.
issue limits which CAs can issue for the domain and its subdomains; issuewild limits which can issue wildcard certs.
Not required, but recommended. It reduces the risk of a CA you do not trust issuing a cert for your domain.
iodef gives a URL or mailto for CAs to report issuance or problems. Useful for auditing.
A CAA record allows only another CA (or none). Add the CA you use to the issue/issuewild list, or remove conflicting CAA.
Yes. After adding or changing CAA, allow propagation; CAs will see the new policy once caches update.