"Sectigo (formerly Comodo CA) recognizes the following domain names in issue and issuewild property tags as permitting us to issue: comodo.com, comodoca.com, usertrust.com, trust-provider.com sectigo.com "

netsol can use 'netsolssl.com' as the target instead of 'comodoca.com' or 'comodo.com'. Failing that, trust-provider.com will also work of course.

_____________________________________________________________________________

The changes to our industry guidelines for CAA are such that it's now mandatory for CAs to check the CAA record for any name requested in a certificate.
This does not mean that domains have to have the record in place - no CAA record being present simply means the certificate can be issued. A CAA record that is present, but does not allow Sectigo, will result in the certificate not being issued.

_____________________________________________________________________________

CAA record format

The purpose of the CAA record is to allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. They also provide a means for indicating notification rules in case someone requests a certificate from a not authorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.

CAA records can set policy for the entire domain, or for specific hostnames. CAA records are also inherited by subdomains, therefore a CAA record set on example.com will also apply to any subdomain, such as subdomain.example.com (unless overridden). CAA records can control the issuance single-name certificates, wildcard certificates, or both.

The CAA record is represented by the following elements:

flag	An unsigned integer between 0-255.
	It is currently used to represent the critical flag, that has a specific meaning per RFC.
tag	An ASCII string that represents the identifier of the property represented by the record.
value	The value associated with the tag.

The CAA record consists of a flags byte and a tag-value pair referred to as a property. Multiple properties MAY be associated with the same domain name by publishing multiple CAA RRs at that domain name.

The canonical representation is:

CAA <flags> <tag> <value>

The RFC currently defines 3 available tags:

• issue: explicity authorizes a single certificate authority to issue a certificate (any type) for the hostname.
• issuewild: explicity authorizes a single certificate authority to issue a wildcard certificate (and only wildcard) for the hostname.
• iodef: specifies an URL to which a certificate authority may report policy violations.

If neither "issue" nor "issuewild" are specified then:
- Non-wildcard certificate requests are not restricted.
- Wildcard certificate requests are not restricted.

If only "issue" is specified then:
- "issue" applies to non-wildcard certificate requests.
- "issue" applies to wildcard certificate requests.

If only "issuewild" is specified then:
- Non-wildcard certificate requests are not restricted.
- "issuewild" applies to wildcard certificate requests.

If both "issue" and "issuewild" are specified then:
- "issue" applies to non-wildcard certificate requests.
- "issuewild" applies to wildcard certificate requests.