Certificate profile fields
Certificate profiles define how certificates are issued, including validity rules, extensions, policies, and distribution points. This page documents all available configuration fields for certificate profiles.
- Basic profile fields
- Validity and time settings
- PKCS#12 generation
- Basic CA Constraints extension
- Key Usages and Extended Key Usages extension
- Subject Alternative Names (SAN) extension
- Certificate Policies extension
- Private Key Usage Period extension
- OCSP No Check extension
- Adobe-specific extensions
- Custom extensions configuration
ℹ Some fields support both UI and JSON configuration, while others are JSON-only.
Basic profile fields
See below for the basic fields required for all certificate profiles.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| Profile ID | — | string | A unique identifier for the certificate profile. Must be 2–64 characters consisting of lowercase letters and numbers. | Yes |
| Profile Group | — | string | The name of the group to which the profile belongs. Must be 2–64 characters consisting of lowercase letters and numbers. Every profile must be associated with exactly one group. | Yes |
| Default CA Types | allowedCATypes | array of string | The types of certificate authorities the profile supports, as a list of Type identifiers. | Specify at least one type |
Validity and time settings
See below for fields related to certificate validity periods and time settings.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| Validity period | validity_period | string | The validity period for issued certificates as an ISO 8601 interval or duration – for example: P3Y, P47D. |
Yes |
| backdate | string (duration) | The period subtracted from current date when calculating notBefore if not_before is omitted in request – for example: 1s, 5m, 1h. |
Defaults to 30m |
|
To help accommodating clock skew between systems, the backdate field is only applied when the certificate request does not specify a not_before value and the profile does not define one. |
||||
| truncate_to_ca_not_after | boolean | When true, the certificate notAfter is automatically adjusted to match the CA’s notAfter. When false, certificate requests with a notAfter date exceeding the issuing CA’s notAfter fail with an error |
Defaults to false |
PKCS#12 generation
See below for fields related to PKCS#12 generation with server-side key generation.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| gen_key_allowed | array of string | Allowed key types for PKCS#12 generation with server-side key generation. Supported values: RSA2048, RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521. |
No |
Basic CA Constraints extension
See below for fields related to the Basic Constraints extension for CA certificates.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| ca_constraint | object | Basic Constraints configuration for CA certificates. | No | |
| ca_constraint.is_ca | boolean | When true, sets the CA bit in Basic Constraints, designating this as a CA certificate. |
Defaults to false |
|
| ca_constraint.max_path_len | integer (int32) | Maximum number of intermediate CAs that can follow this CA in a certificate chain. | No | |
| ca_constraint.max_path_len_zero | boolean | When true, explicitly sets path length to zero. |
Defaults to false |
Key Usages and Extended Key Usages extension
See below for fields related to the Key Usages and Extended Key Usages (EKU) extensions.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| Key Usages | usages | array of string | Key usages and/or Extended Key Usage (EKU) OIDs permitted for certificates issued using this profile – for example: signing, key encipherment, 1.3.6.1.5.5.7.3.1 (TLS server authentication). |
Yes |
| Extended key Usages | usages | array of string | Extended key usages (EKUs) permitted for certificates. Can include standard names or OIDs, such as 1.3.6.1.5.5.7.3.1 for TLS server authentication. |
No |
| critical_eku | boolean | When true, the Extended Key Usage extension is marked as critical. |
Defaults to false |
Use the JSON configuration to specify custom OIDs not available in the UI dropdown.
Subject Alternative Names (SAN) extension
See below for fields related to the Subject Alternative Names (SAN) extension.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| fill_san_dns_with_cn | boolean | When true, automatically adds all Common Name (CN) values to Subject Alternative Name (SAN) DNS entries. |
Defaults to false |
Certificate Policies extension
See below for fields related to the Certificate Policies extension.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| policies | array of CertificatePolicy |
List of certificate policies to include in issued certificates. | No | |
| policies[].id | string (OID) | Policy object identifier. Example: 1.3.6.1.4.1.34697.2.6. |
When using policies |
|
| policies[].qualifiers | array of CertificatePolicyQualifier |
Optional policy qualifiers providing additional policy information. | No | |
| policies[].qualifiers[].type | string | Qualifier type. Supported values: id-qt-unotice (user notice) or id-qt-cps (Certification Practice Statement). |
When using qualifiers | |
| policies[].qualifiers[].value | string | Qualifier value. For id-qt-cps, this is typically a URL. Example: http://www.entrust.net/rpa. |
When using qualifiers | |
| critical_policies_extension | boolean | When true, marks the Certificate Policies extension as critical. |
Defaults to false |
Private Key Usage Period extension
See below for fields related to the Private Key Usage Period extension.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| private_key_usage_period | string (duration) | Defines the private key usage period. Examples: 12h, 30d. |
No |
OCSP No Check extension
See below for fields related to the OCSP No Check extension.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| ocsp_no_check | boolean | When true, adds the id-pkix-ocsp-nocheck extension, typically used for OCSP responder certificates. |
Defaults to false |
Adobe-specific extensions
See below for fields related to Adobe-specific extensions.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| adobe_archive_rev_info | boolean | When true, adds the ArchiveRevInfo extension required for Adobe CDS (Certificate Security for Digital Signatures). |
Defaults tofalse |
|
| adobe_timestamp | object | Adobe timestamp configuration for timestamping operations. | No | |
| adobe_timestamp.location | string (uri) | URL endpoint for Adobe timestamping service. | No | |
| adobe_timestamp.requires_auth | boolean | When true, indicates the timestamp endpoint requires authentication. |
Defaults tofalse |
Custom extensions configuration
See below for fields related to custom extension handling.
| UI | JSON | Type | Description | Mandatory |
|---|---|---|---|---|
| allowed_extensions | array of OID | List of OIDs for additional extensions that may be copied from certificate requests. Extensions not in this list will be rejected unless ignore_unknown_extensions is true. |
No | |
| ignore_unknown_extensions | boolean | When false, the request fails validation if includes any extension not listed in allowed_extensions. When true, unknown extensions are silently ignored. |
Defaults to false |
|
| extensions | array of Extension |
Static extensions to add to all certificates issued with this profile. | No | |
| extensions[].id | string (OID) | Object identifier for the extension. Example: 1.3.6.1.5.5.7.1.1 (Authority Information Access). |
when using extensions |
|
| extensions[].value | string (byte) | Base64-encoded DER value for the extension. | When using extensions |
|
| extensions[].critical | boolean | When true, marks the extension as critical. |
Defaults tofalse |
Static extensions defined in extensions[] are added to all certificates issued with this profile.