Back to Guides
ComplianceDNS

CAA Account Pinning: Lock Certificate Issuance to Your ACME Account (RFC 8657)

Pin issuance to one ACME account and one validation method. Mandatory March 15, 2027 under SC-098v2.

8 min read

Watch: CAA Account Pinning Explained

CAA account pinning uses two RFC 8657 parameters on your CAA issue/issuewild records — accounturi and validationmethods — to restrict certificate issuance to a specific ACME account and a specific validation method. It closes a real gap: base CAA says which CA may issue for your domain, but not who at that CA. With account pinning, an attacker who briefly hijacks your DNS still can't get a certificate, because they don't hold your ACME account key. As of CA/Browser Forum ballot SC-098v2, every public CA must support these parameters on 2027-03-15 — with no phase-in. The one catch that bites people: a wrong accounturi silently blocks your own renewals, so you test before you enforce.

example.com.  CAA  0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/12345678; validationmethods=dns-01"

What RFC 8657 actually changes

Certificate Authority Authorization (CAA) is a DNS record telling CAs whether they may issue for your domain. The base spec is RFC 8659. A plain issue record —

example.com.  CAA  0 issue "letsencrypt.org"

— says only Let's Encrypt may issue, but it doesn't stop anyone who controls the domain, including a DNS hijacker, from getting a cert through that CA.

RFC 8657 (published November 2019) added two parameters to the issue and issuewild properties: accounturi (narrows authorization from a CA to a specific account) and validationmethods (narrows how control may be proven). These were optional for years; SC-098v2 makes support mandatory in March 2027, and practitioners are deploying the records now.

The two parameters, precisely

accounturi — pin issuance to one account

Binds authorization to a single account identified by its URI. A CA must only treat the property as authorizing issuance if it recognizes the URI as the account making the request. In ACME terms that URI is your account URL, and control is proven by your account key — a DNS hijacker without that key is stopped.

Two rules from RFC 8657 you must know:

  • A property with an invalid or unrecognized accounturi is unsatisfiable — a typo fails closed, against you.
  • A property with multiple accounturi parameters is also unsatisfiable — use one per property record.

validationmethods — pin how control is proven

Takes a comma-separated list of validation-method labels (for ACME, method names like dns-01, http-01, tls-alpn-01). Setting validationmethods=dns-01 means the CA must refuse HTTP validation even for your own account. Paired with DNSSEC, dns-01 gives a cryptographically strong path and removes weaker HTTP-based ones as attack surface.

One CA-consistency rule

RFC 8657 requires a CA to apply these parameters consistently across all its issuance systems. That's the CA's obligation, and it's why the SC-098v2 mandate matters — it forces uniform behavior across the ecosystem.

Find your account URI (per CA)

The reliable, CA-agnostic way: the account URI is the account URL your ACME client recorded at registration (the Location header returned on account creation). Read it from your client rather than building it by hand.

Let's Encrypt

Account URIs look like https://acme-v02.api.letsencrypt.org/acme/acct/12345678

Retrieve via:

  • certbot 1.23.0+: certbot show_account
  • Older certbot: read the uri field in /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json
  • acme.sh: from its account config
  • cert-manager: from the status.acme.uri field on the Issuer/ClusterIssuer

Google Trust Services

ACME directory is https://dv.acme-v02.api.pki.goog/directory and its CAA identity is pki.goog. Account URIs live under that host; retrieve the exact URI from your client's stored account record. GTS requires External Account Binding (EAB).

example.com.  CAA  0 issue "pki.goog; accounturi=https://dv.acme-v02.api.pki.goog/directory/<account-id>; validationmethods=dns-01"

DigiCert

Public ACME runs through CertCentral. The current directory is https://one.digicert.com/mpki/api/v1/acme/v2/directory (the legacy acme.digicert.com endpoint was retired February 24, 2026) and its CAA identity is digicert.com. DigiCert ACME requires EAB.

Take the account URI from the account record your client stored; because DigiCert's account-URI path isn't publicly documented like Let's Encrypt's, read it from your client rather than assuming a format.

Deploy it safely (the part that locks people out)

The failure mode is silent — a wrong accounturi throws no error when you publish; it fails weeks later at your next renewal as a CAA rejection in the CA's issuance log. Treat rollout like a production change.

  1. 1

    Inventory every issuer first

    List every account and validation method that legitimately issues for the domain — primary ACME clients, plus CI/CD pipelines, load balancers, CDNs and WAFs (Cloudflare, Fastly, cloud load balancers, managed platforms often hold their own accounts), and any third party or SaaS issuing under your domain. The number-one cause of a self-inflicted outage is a forgotten second issuer.

  2. 2

    Get the syntax exactly right

    Parameters live inside the quoted value separated by semicolons. The accounturi match is exact — a trailing slash, wrong acct ID, or http vs https makes it unsatisfiable. One accounturi per property — for two accounts use two separate issue records.

  3. 3

    Test before you enforce

    Start with a short TTL on the CAA record so you can back out fast. Stage in a low-risk zone or subdomain if you can. Force a renewal against the pinned account (e.g. certbot renew --force-renewal on a test cert, or your client's equivalent) and confirm issuance succeeds. Only after a real issuance succeeds should you trust the record, then raise the TTL back to normal.

  4. 4

    Keep a rollback ready

    If renewals start failing, remove or correct the accounturi and let the short TTL expire. Because CAA is checked at issuance time, backing out restores normal issuance on the next attempt — no reissue needed for existing valid certs.

What breaks if you get it wrong — and the deadline

Be precise — certificates do not break on 2027-03-15. What happens is that CA support for these parameters becomes mandatory under SC-098v2; existing certs keep working. The risk is entirely misconfiguration on your side: a wrong accounturi breaks at your next renewal, not on any calendar date.

So the deadline isn't a cliff — it's a reason to adopt the control while you have time to test it. Account pinning is one of the few CAA features that materially raises the cost of a DNS-hijack misissuance attack, and the mandate guarantees every public CA will honor it.

Checklist

  • Base CAA issue record already in place and correct
  • Inventoried every account/method issuing for the domain (including CDNs, LBs, CI/CD, third parties)
  • Retrieved the account URI from your client's account record — not hand-built
  • Record syntax verified: semicolon-separated params, exact accounturi, single accounturi per property
  • Short TTL set on the CAA record
  • Forced a real renewal through the pinned account and confirmed issuance succeeded
  • Rollback understood; TTL restored after verification

Reference record:

example.com.  CAA  0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/12345678; validationmethods=dns-01"

Related Resources

Try the interactive demo

Build and validate CAA records visually with the CAA Records interactive explorer.