Guides
Certificate Profiles
Built-in profiles and how to create custom ones.
Certificate Profiles
Profiles define the cryptographic parameters and X.509 extensions applied to issued certificates. uPKI CA ships with 7 built-in profiles covering the most common use cases.
Built-in profiles
| Profile | Type | Default Validity | Key Usage | Extended Key Usage |
|---|---|---|---|---|
ca | sslCA | 10 years | keyCertSign, cRLSign | — |
ra | sslCA | 1 year | digitalSignature, keyEncipherment | serverAuth, clientAuth |
server | server | 60 days | digitalSignature, keyEncipherment | serverAuth |
webapp | server | 60 days | digitalSignature, keyEncipherment | serverAuth, clientAuth |
laptop | user | 30 days | digitalSignature | clientAuth, emailProtection |
user | user | 30 days | digitalSignature | clientAuth |
admin | user | 1 year | digitalSignature | clientAuth |
Profile YAML format
Profiles are stored as YAML files in $UPKI_DATA_DIR/profiles/. To create a custom profile, drop a .yml file in that directory:
# profiles/iot-device.yml
name: iot-device
type: user
validity: 365 # days
key_type: rsa
key_length: 2048
digest: sha256
ca: false
key_usage:
- digitalSignature
- keyEncipherment
extended_key_usage:
- clientAuth
subject_alt_name:
- email: false
- dns: false
- ip: true # allow IP SANs for IoT devices
Listing profiles via ZMQ
{
"TASK": "list_profiles",
"params": {}
}
Response:
{
"EVENT": "ANSWER",
"DATA": [
"ca",
"ra",
"server",
"webapp",
"laptop",
"user",
"admin",
"iot-device"
]
}
Getting a profile details
{
"TASK": "get_profile",
"params": {
"profile": "server"
}
}
Using a profile when issuing
Pass profile in any certificate generation request:
{
"TASK": "generate",
"params": {
"cn": "api.example.internal",
"profile": "webapp",
"sans": ["api.example.internal"]
}
}
If profile is omitted, the CA defaults to "server".
Profile validation
The CA validates each requested profile at sign time. An unknown profile name results in an UPKI ERROR response.