While creating a Custom Domain, from the Admin Dashboard > Customizations > Brand > select Brand > Domains tab.
Using Okta-managed certificates, the Admin page displays the required DNS records, including the CAA record, which is shown as optional. This is because not all domains have these types of records.
If the domain includes a CAA record, the Okta certificate authority provider, Let's Encrypt, must be authorized to issue certificates for that domain.
Let’s Encrypt checks CAA records before issuing every certificate.
- Custom Domain Configuration using Okta-Managed certificates
- The root domain already includes a CAA record
- Review and confirm if the root domain or subdomains already include CAA records. Use the dig command, Google Dig Toolbox, or any similar web tool to review.
In this example, CAA records are found for the domain mycustomdomain.com; hence, it is required to add a CAA record for the Okta certificate provider.
- Go to the DNS Provider and add the CAA record with this value:
0 issue letsencrypt.orgNo other parameters are supported.
- If the root domain is mycustomdomain.com and the Okta custom domain is sso.mycustomdomain.com, the CAA record can be added to either of these domains.
For better management and visibility, Okta recommends adding it to the root domain, mycustomdomain.com in this example.
- Double-check that the value is found. Using the Dig command, for example:
%dig -t caa mycustomdomain.com +short
0 issue "letsencrypt.org"
0 issue "amazon.com"
0 issue "sectigo.com"
0 issue "digicert.com"Ensure that the CAA DNS record and the TXT record are included in the DNS provider and propagated before proceeding with the custom domain setup. If a problem is found, the TXT record will be regenerated.
Related References
- Certificate Authority Authorization (CAA)
- Error: "A new TXT value has been generated. Update your DNS record with the new TXT value, wait for it to propagate, and then return here to verify"
- Customize domain and email address
