A certificate policy is a policy structure specifying permitted attributes for requested certificates. This includes constraints around subject naming conventions, SAN fields, key usages, and extended key usages.Each certificate requested against a certificate profile is validated against the policy bound to that profile. If the request fails any criteria included in the policy, the certificate is not issued. This helps administrators enforce uniformity and security standards across all issued certificates.
To create a certificate policy, head to your Certificate Management Project > Certificate Manager > Certificate Policies and press Create Policy.Here’s some guidance on each field:
Policy Name: A slug-friendly name for the policy such as tls-server.
Description: An optional description for the policy.
Subject Attributes: A list of common names that can be included in the certificate subject. Each row accepts a fixed value or pattern such as example.com or *.example.com and whether it is allowed or denied.
Subject Alternative Names (SANs): A list of SANs that can appear in the certificate. Each row accepts a SAN type (e.g. DNS, IP, Email, URI), a fixed value or pattern such as example.com or *.example.com, and an allow or deny flag.
Allowed Signature Algorithms: The set of signature algorithms permitted to sign certificates under this policy such as SHA256-RSA, SHA512-RSA, etc.
Allowed Key Algorithms: The set of public key algorithms permitted for certificate requests such as RSA-2048, RSA-4096, etc.
Key Usages: The cryptographic purposes of the certificate such as Digital Signature, Key Encipherment, etc.
Extended Key Usages: The higher-level intended uses of the certificate such as Server Authentication, Client Authentication, etc.
Certificate Validity: The maximum lifetime of certificates that can be requested for certificates validated against this policy. You can specify both a duration and unit (days, months, or years).
Here’s some guidance on each field: