CAA is an additional security measure of the CA/Browser Forum's baseline requirements to prevent the misuse of the certificate issuance.

By depositing CAA entries (Certification Authority Authorization DNS Resource Record) for each Fully Qualified Domain Name (FQDN), the domain owner can determine which CA is authorized to issue the certificate. In the course of order validation, the CA checks all FQDNs of the certificate request for existing CAA records in the DNS (CAA Records for Fully Qualified Domain Names).

The ServerPass certification authority may only issue the certificate if, for each FQDN of a certificate order

  1. a CAA entry is found whose issue or issuewild property includes "".
  2. no CAA entry is filed.

To speed up order processing, you should store the issue or issuewild property "" for all your domains.

A Google project for certificate transparency: Issued certificates are written to publicly verifiable and tamperproof log servers to promptly identify and block abusive or misleading TLS/SSL certificates. The necessary CT log servers will be contacted during the certificate issuing process. In turn the CT log servers deliver a signed time stamp (SCT) in its reply, which are then stored in the certificate to verify that the certificate has been registered on a log server.

The CT extension can be deselected by customer request. The missing CT extension reduces the functionality of the certificate in some browsers.