Policy Rules Reference¶

Each policy contains one or more rules. Each rule has the following structure:

{
  "action": "<rule_action>",
  "fail": "hard",
  "values": { }
}

Field	Description
`action`	The rule type (see tables below)
`fail`	`"hard"` blocks issuance; `"soft"` generates a warning only
`values`	Rule-specific parameters; omitted for rules that take no parameters

Subject / Value Enforcement¶

Action	`values` keys	Description
`enforce_values`	`organization`, `organizational_unit`, `country`, `state`, `locality` (any subset)	Enforces exact values for certificate subject fields
`enforce_key_usage`	`key_usage` (array), `extended_key_usage` (array)	Enforces specific key usage extensions

Domain Restrictions¶

Action	Description
`disable_wildcard`	Blocks wildcard certificates (`*.example.com`)
`block_subdomains`	Blocks subdomain certificates
`block_other_domains`	Alerts or blocks domains outside the policy's matching scope
`enforce_domain_suffix`	Requires all domains to end with a specified suffix (e.g. `.corp.example.com`)

Key and Algorithm Policies¶

Action	`values` keys	Description
`enforce_minimum_key_size`	`minimum_bits` (`"2048"` to `"8192"`)	Minimum RSA key size; for EC, checks curve size
`enforce_algorithm`	`algorithm` (`"rsa"` or `"ecdsa"`)	Restricts to a specific algorithm family
`enforce_digest`	`digest` (`"sha256"`, `"sha384"`, `"sha512"`)	Requires a specific digest algorithm

Validity Policies¶

Action	`values` keys	Description
`enforce_max_validity`	`max_days`	Maximum certificate validity in days
`enforce_min_validity`	`min_days`	Minimum certificate validity in days

SAN Restrictions¶

Action	`values` keys	Description
`block_ip_in_san`	(none)	Blocks IP addresses in Subject Alternative Names
`enforce_max_san_count`	`max_count`	Limits the total number of SANs
`require_san`	(none)	Requires at least one SAN entry
`block_email_in_san`	(none)	Blocks email addresses (RFC 822 names) in SANs

Naming Policies¶

Action	`values` keys	Description
`enforce_common_name_pattern`	`pattern` (regex)	Requires the common name to match the given pattern

Security and Compliance¶

Action	`values` keys	Description
`require_certificate_transparency`	(none)	Requires Certificate Transparency logging
`enforce_renewal_window`	`days_before_expiry`	Restricts renewal to a window before expiry
`block_ca_flag`	(none)	Prevents `CA:TRUE` in Basic Constraints, blocking CA certificate issuance

Purpose Restrictions¶

Action	`values` keys	Description
`enforce_certificate_purpose`	`purpose` (`"server"`, `"client"`, `"both"`)	Restricts Extended Key Usage to the specified purpose

Integration¶

Action	`values` keys	Description
`enforce_integration_ca`	`integration_ca` (CA identifier string)	Requires issuance via a specific CA integration

Rate Limiting¶

Action	`values` keys	Description
`rate_limit_per_domain`	`max_certificates`, `period_days`	Limits the number of certificates issued per domain within a rolling time window

Example Policy with Multiple Rules¶

{
  "name": "Production Security Baseline",
  "matching_criteria": {
    "action": "certificate.generate",
    "domains": ["*.prod.example.com"]
  },
  "rules": [
    {
      "action": "enforce_algorithm",
      "fail": "hard",
      "values": { "algorithm": "rsa" }
    },
    {
      "action": "enforce_minimum_key_size",
      "fail": "hard",
      "values": { "minimum_bits": "3072" }
    },
    {
      "action": "enforce_digest",
      "fail": "hard",
      "values": { "digest": "sha256" }
    },
    {
      "action": "enforce_max_validity",
      "fail": "hard",
      "values": { "max_days": "365" }
    },
    {
      "action": "block_ca_flag",
      "fail": "hard"
    },
    {
      "action": "require_san",
      "fail": "soft"
    }
  ],
  "is_enabled": true
}