From 5b88f6a9cbf6bfe194591e53390575257124d8e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?=
 <65334626+nilsgstrabo@users.noreply.github.com>
Date: Wed, 11 Dec 2024 16:36:35 +0100
Subject: [PATCH] add info about CAA record in certificate automation

---
 public-site/docs/guides/external-alias/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public-site/docs/guides/external-alias/index.md b/public-site/docs/guides/external-alias/index.md
index ebb0e5ca..93236569 100644
--- a/public-site/docs/guides/external-alias/index.md
+++ b/public-site/docs/guides/external-alias/index.md
@@ -51,7 +51,7 @@ frontend-myapp-prod.radix.equinor.com
 
 Add the alias to `dnsExternalAlias` in [radixconfig.yaml](../../radix-config/index.md#dnsexternalalias). You can add multiple entries as long as the `alias` value is unique. The referenced environment must be re-deployed in order for the changes to take effect.
 
-If `useCertificateAutomation` is `true`, the external DNS record must be already created in order for Radix to start the automatic certificate issuing process.
+If `useCertificateAutomation` is `true`, the external DNS record must be created in order for Radix to start the automatic certificate issuing process. `digicert.com` must also be authorized (from [CAA](https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization) records) to issue certificates to the `alias`. You can use an online tool like [Entrust CAA Lookup](https://www.entrust.com/resources/tools/caa-lookup) to check this.
 
 ``` yaml
 apiVersion: radix.equinor.com/v1