Certificate Issuance new requirement: DNS CAA request

9/15/2025 Multi-Perspective Issuance Corroboration (MPIC) for all certificates. For most this is not a big change, but for a few, it requires being able to query DNS CAA records, if they exist. If DNS is delegated to a DNS server that is non-public, MPIC validation will fail and the certificate will not be issued.

If you had a certificate for a domain name either in the Common Name or Subject Alternative Name with a firewalled DNS server, it could be rejected following the enforcement of the Multi-Perspective Issuance Corroboration (MPIC) that went into place on September 13, 2025. This specifically is regarding certificates requested through https://servercertificates.wisc.edu/ - and issued by Sectigo, though all certificate authorities issuing public certificates are subject to this policy, including LetsEncrypt.

 

This enforcement requires that Certificate Authorities (CAs) perform CAA record checks and domain validation from the public internet. If you have a domain name that currently fails these checks it no longer qualifies for publicly trusted SSL/TLS certificates.

 

Troubleshooting Tips

  • Ensure CAA records are publicly resolvable for the domain name in question
  • Test by submitting a certificate request for a domain name to https://servercertificates.wisc.edu
  • Test with DNS testing tools like https://dns.google/query?name=yourdomainnamehere.wisc.edu&rr_type=CAA&ecs=
    • SERVFAIL, TIMEOUT and REFUSED will result in Certificate issuance failures.
    • Having CAA records present that do not include the CA you’ve requested issuance from will also result in issuance failure.
      • To receive an issued certificate, ensure there are either NO CAA records present or that the CA you are requesting from does have a record present.
      • Sectigo/Incommon CAA values: Sectigo.com, trust-provider.com, usertrust.com
  • Manual testing:
    • Use the linux/mac dig command to check for delegation:
      • dig soa <yourdomainnamehere.wisc.edu>
        • If the answer is any of the DNS servers listed here: https://kb.wisc.edu/117098 then your domain is hosted by the campus Infoblox instance, and is not likely to be a delegated domain
    • To test domains for access from off caompus:
      • dig caa <yourdomainnamehere.wisc.edu>
      • SERVFAIL, TIMEOUT and REFUSED will result in Certificate issuance failures.
      • Having CAA records present that do not include the CA you’ve requested issuance from will also result in issuance failure.
        • To receive an issued certificate, ensure there are either NO CAA records present or that the CA you are requesting from does have a record present.
        • Sectigo/Incommon CAA values: Sectigo.com, trust-provider.com, usertrust.com

 

For more information:

 

Please reach out if you have any questions. We can provide a list of impacted subdomains that have been issued a certificate in the past year as well as associated email addresses, upon request.

 


Keywords:
CAA MPIC DNS Certificate Authority Authorization 
Doc ID:
155303
Owned by:
PHILIP J. in SSL Server Certificates
Created:
2025-10-02
Updated:
2025-10-06
Sites:
SSL Server Certificates